Security

delete_by_keyword not working

athorat
Communicator

Want to grant delete permissions for a non admin account for specific prod-test-* indexes
Created a new role and mapped it to an AD group but does not seem to like it. Users still get , Error in 'delete' command: You have insufficient privileges to delete events.

[role_test_access]
srchIndexesAllowed = _audit
deleteIndexesAllowed = prod-test*
delete_by_keyword= enabled

Any suggestions highly appreciated.

Tags (2)
0 Karma

renjith_nair
Legend

@athorat,

Add the below also to your authorize.conf

importRoles = can_delete
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

athorat
Communicator

Thanks @renjith.nair , Doesnt seem to work.

0 Karma

renjith_nair
Legend

@athorat,
Have you posted your entire role definition above or is it only some part of it?
Because, search capability is missing in the above role definition which is required and also the srchIndexesAllowed has only _audit. Probably you need to add prod-test* as well so that the users can search on those indexes as well.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...