Security

What permissions do I need to give a user on the master node to view the monitoring console?

New Member

What capabilities I need to give to particular user on master node in order to view monitoring console?

Right now I have given adminallobjects capability.

But when I am checking health check it is showing instances not reachable.

And if I am logging in with admin credentials all instances are showing as reachable.

Currently I have given user and power role to user along with adminallobjects capability.

Thanks in advance.

0 Karma

Splunk Employee
Splunk Employee

You need to provide in total three capabilities to view the monitoring console for user privileges.

1).adminallobjests.

2).dispatchrestto_indexers.

3).editdistpeer.

The dispatchresttoindexers capability will show the resource usage of each instance and editdist_peer will fix the instance unreachable error.

0 Karma

SplunkTrust
SplunkTrust

Hi swmishra [Splunk],

Thanks for your feedback, but I think the advice given with this answer is not correct and dangerous. Granting users admin_all_objects will make them an admin of your instance, and is not needed just to view the monitoring console nor recommended security wise.

Take a look at my posted [role_mc-users] config it contains all capabilities needed to grant secure access for users to the monitoring console.

Hope this helps ...

cheers, MuS

SplunkTrust
SplunkTrust

Hi nabhosal,

There is no need to grant admin_all_objects to a user to access MC; you can create a new role with these limited capabilities:

[role_mc-users]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
dispatch_rest_to_indexers = enabled
importRoles = power;user
license_tab = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_forwarders = enabled
list_health = enabled
list_httpauths = enabled
list_indexer_cluster = enabled
list_indexerdiscovery = enabled
list_search_head_clustering = enabled
list_search_scheduler = enabled
list_settings = enabled
srchIndexesAllowed = _*
srchIndexesDefault = _*
srchMaxTime = 0

and allow this role read access to the Monitoring Console app. This will do the task.

Hope this helps ...

cheers, MuS

Communicator

@MuS - We have created a non-admin role with all the above capabilities but a user in the role is unable to launch the health check tab. It does nothing and is stuck at "Loading...". An admin can pull up the page immediately.

@swmishrasplunk I do understand that adminall_objects can fix this problem but the whole point is assigning only appropriate permissions so as to allow a non-admin execute health checks.

Can you please advise if some other capability can allow us to view the health check page?

0 Karma

SplunkTrust
SplunkTrust

Hi vik_splunk,

the question here was ... to view ... the MC and that's what this role provides, capabilities to view the MC. I never tested nor intended to have this role run a health check to be honest.

cheers, MuS

0 Karma

Communicator

Ah ok @MuS . With some testing I was able to figure out the answer to my question.

In addition to editdistpeer, edit_health does the trick. I.e your mc users capability + the above two edit roles is what I was looking for. Hope it helps someone attempting to set something up similar.

0 Karma

Legend

Hi nabhosal,
see at http://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/Deploymentsetupsteps .
the problem isn't user capabilities, you have to configure your DMC to see all Splunk systems data, in other words "Add all instances as search peers".

Bye.
Giuseppe

0 Karma