Security

Who do saved scheduled searches run as?

juniormint
Communicator

I'm trying to figure out how to have a saved search editable by all the people in a role without creating an opportunity for privileged escalation. This led me to ask questions around who a saved search run's as.

How does it work? Is it the owner? If yes, what if no owner is specified?

I think I would like it to be something like specify a role that it runs as. Is something like that doable?

1 Solution

somesoni2
SplunkTrust
SplunkTrust

The saved searches run as the user who owns it. If no owner is specified (No owner is shown in UI or nobody in .meta files), it runs as splunk-system-user account. If you want searches to run as a role, you need to create a user (can keep the same name as the role) having that role and change the owner of the search with that role (by updating owner property in local.meta file).

View solution in original post

woodcock
Esteemed Legend

NEW FEATURE UPDATE! See documentation here:

http://docs.splunk.com/Documentation/Splunk/6.3.1511/Report/Createandeditreports

5. (Optional) Determine whether the search should run as Owner or run as User.

This setting determines whether the search runs with the permissions of the search Owner (the person who defined the search) or the permissions of the search User (the person who is running the search). Reports run as Owner by default.

For a detailed explanation of why this setting is significant and how it works, see "Running reports as the report owner or report user," in this topic.

http://docs.splunk.com/Documentation/Splunk/6.3.1511/Report/Createandeditreports#Determine_whether_t...

somesoni2
SplunkTrust
SplunkTrust

The saved searches run as the user who owns it. If no owner is specified (No owner is shown in UI or nobody in .meta files), it runs as splunk-system-user account. If you want searches to run as a role, you need to create a user (can keep the same name as the role) having that role and change the owner of the search with that role (by updating owner property in local.meta file).

juniormint
Communicator

what access does splunk-system-user have? Is it like god access?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...