Security

delete_by_keyword not working

Communicator

Want to grant delete permissions for a non admin account for specific prod-test-* indexes
Created a new role and mapped it to an AD group but does not seem to like it. Users still get , Error in 'delete' command: You have insufficient privileges to delete events.

[role_test_access]
srchIndexesAllowed = _audit
deleteIndexesAllowed = prod-test*
delete_by_keyword= enabled

Any suggestions highly appreciated.

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

@athorat,

Add the below also to your authorize.conf

importRoles = can_delete
0 Karma

Communicator

Thanks @renjith.nair , Doesnt seem to work.

0 Karma

SplunkTrust
SplunkTrust

@athorat,
Have you posted your entire role definition above or is it only some part of it?
Because, search capability is missing in the above role definition which is required and also the srchIndexesAllowed has only _audit. Probably you need to add prod-test* as well so that the users can search on those indexes as well.

0 Karma