Security

delete_by_keyword not working

athorat
Communicator

Want to grant delete permissions for a non admin account for specific prod-test-* indexes
Created a new role and mapped it to an AD group but does not seem to like it. Users still get , Error in 'delete' command: You have insufficient privileges to delete events.

[role_test_access]
srchIndexesAllowed = _audit
deleteIndexesAllowed = prod-test*
delete_by_keyword= enabled

Any suggestions highly appreciated.

Tags (2)
0 Karma

renjith_nair
Legend

@athorat,

Add the below also to your authorize.conf

importRoles = can_delete
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

athorat
Communicator

Thanks @renjith.nair , Doesnt seem to work.

0 Karma

renjith_nair
Legend

@athorat,
Have you posted your entire role definition above or is it only some part of it?
Because, search capability is missing in the above role definition which is required and also the srchIndexesAllowed has only _audit. Probably you need to add prod-test* as well so that the users can search on those indexes as well.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...