Security

delete_by_keyword not working

athorat
Communicator

Want to grant delete permissions for a non admin account for specific prod-test-* indexes
Created a new role and mapped it to an AD group but does not seem to like it. Users still get , Error in 'delete' command: You have insufficient privileges to delete events.

[role_test_access]
srchIndexesAllowed = _audit
deleteIndexesAllowed = prod-test*
delete_by_keyword= enabled

Any suggestions highly appreciated.

Tags (2)
0 Karma

renjith_nair
Legend

@athorat,

Add the below also to your authorize.conf

importRoles = can_delete
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

athorat
Communicator

Thanks @renjith.nair , Doesnt seem to work.

0 Karma

renjith_nair
Legend

@athorat,
Have you posted your entire role definition above or is it only some part of it?
Because, search capability is missing in the above role definition which is required and also the srchIndexesAllowed has only _audit. Probably you need to add prod-test* as well so that the users can search on those indexes as well.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...