Security

Why was I able to edit an inline extraction where my role only has "read" permission

ksoucy
Path Finder

I was able to edit and save an existing inline extraction (not owned by me), as a regular user assigned to a role that does not have write permission for the extraction. How can this be?

The extraction is the delivered "django_access : EXTRACT-extract_spent" extraction that grants Read access to Everyone, but does not grant Write access to my role:
alt text

These are the capabilities assigned to my role:
[role_lvmvuser]
admin_all_objects = enabled
change_own_password = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
pattern_detect = enabled
rest_properties_get = enabled
schedule_search = enabled
search = enabled
search_process_config_refresh = enabled
srchIndexesAllowed = lvmv
srchIndexesDefault = lvmv
srchMaxTime = 0

Is there a capability that is allowing me to edit an extract event though the extract shows I dont have write permission? Is this a security flaw in Splunk?
This issue will prevent us from deploying Splunk in out organization as we need to be able to secure extractions, etc. based on the permissions set.

Tags (1)
0 Karma
1 Solution

masonmorales
Influencer

The admin_all_objects = enabled capability lets your role edit any object in Splunk regardless of the object's permissions.

See: https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

View solution in original post

0 Karma

masonmorales
Influencer

The admin_all_objects = enabled capability lets your role edit any object in Splunk regardless of the object's permissions.

See: https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

0 Karma

ksoucy
Path Finder

Mason, I agree that is why any user is able to edit any saved extraction, etc., however when we remove that capability from the role it prevents a user from saving any extractions, etc. Users receive this error:

User 'xxxxxxx' with roles { lvmvuser, xxxxxx } cannot write: /nobody/search/props/lvmump-access/EXTRACT-lvmump-access-log { read : [ * ], write : [ admin, power ] }, export: global, removable: no

Do you know of another capability that gives users the ability to create and save objects?

Thks

0 Karma

somesoni2
Revered Legend

IMO, Culprit is admin_all_objects = enabled. Which allows you to edit all objects (admin privileges). If you're a regular user or have regular user role, this capability shouldn't be there.

0 Karma

ksoucy
Path Finder

Normally I would agree with you, however we found that we were not able to save the inline extracts, reports, etc. if we did not have the admin_all_objects capability. Do you know of a different capability that provides the ability to create/save extracts, etc. ?

Thks

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...