I was able to edit and save an existing inline extraction (not owned by me), as a regular user assigned to a role that does not have write permission for the extraction. How can this be?
The extraction is the delivered "django_access : EXTRACT-extract_spent" extraction that grants Read access to Everyone, but does not grant Write access to my role:
These are the capabilities assigned to my role:
[role_lvmvuser]
admin_all_objects = enabled
change_own_password = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
pattern_detect = enabled
rest_properties_get = enabled
schedule_search = enabled
search = enabled
search_process_config_refresh = enabled
srchIndexesAllowed = lvmv
srchIndexesDefault = lvmv
srchMaxTime = 0
Is there a capability that is allowing me to edit an extract event though the extract shows I dont have write permission? Is this a security flaw in Splunk?
This issue will prevent us from deploying Splunk in out organization as we need to be able to secure extractions, etc. based on the permissions set.
The admin_all_objects = enabled
capability lets your role edit any object in Splunk regardless of the object's permissions.
See: https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities
The admin_all_objects = enabled
capability lets your role edit any object in Splunk regardless of the object's permissions.
See: https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities
Mason, I agree that is why any user is able to edit any saved extraction, etc., however when we remove that capability from the role it prevents a user from saving any extractions, etc. Users receive this error:
User 'xxxxxxx' with roles { lvmvuser, xxxxxx } cannot write: /nobody/search/props/lvmump-access/EXTRACT-lvmump-access-log { read : [ * ], write : [ admin, power ] }, export: global, removable: no
Do you know of another capability that gives users the ability to create and save objects?
Thks
IMO, Culprit is admin_all_objects = enabled. Which allows you to edit all objects (admin privileges). If you're a regular user or have regular user role, this capability shouldn't be there.
Normally I would agree with you, however we found that we were not able to save the inline extracts, reports, etc. if we did not have the admin_all_objects capability. Do you know of a different capability that provides the ability to create/save extracts, etc. ?
Thks