Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Where can we see access/permission issues?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are moving several admin folks to be power users. During the transition we might have permission issue. Where can we see them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.
Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.
Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.
Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.
Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @nickhillscpl. If there are any errors, would they be in _internal or _audit?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There wont be any errors, as there is no concept of "permission denied" (for users), so you wont see any errors anywhere.
Splunk will give you access to everything you have - if you dont have access to it, you simply wont be told that it even exists.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just thinking about this... rest api calls will fail if you don’t have permissions, so that is an exception.
Probably only an issue if any of your users are developers, in which case they will be logged in _internal
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
