Security

how to set the user role "USER" not to delete saved searches and field extractions

shariinPH
Contributor

Hi all,

I want to remove the capability of the user role user not to delete savedsearches and field extractions.
Any idea to do that?
Thanks

0 Karma

jeffland
SplunkTrust
SplunkTrust

Are you looking for admin_all_objects?

shariinPH
Contributor

how does that work @jeffland?

0 Karma

jeffland
SplunkTrust
SplunkTrust

To do it via the web interface, navigate to Settings > Access controls (with your admin user of course) and select "Roles". Click the role "user" and remove said capability from his list.

0 Karma

shariinPH
Contributor

does this capability won't allow the user role "user" delete anything?

0 Karma

jeffland
SplunkTrust
SplunkTrust

Go ahead and try it! I wasn't able to delete (or modify) a saved search or field extraction without that role (of course you need to make sure that the knowledge object has only read permissions for "user" as well).

0 Karma

shariinPH
Contributor

im having a problem right now. I cant open everything under the Setting tab. can you help me with this?

0 Karma

jeffland
SplunkTrust
SplunkTrust

I saw that question, but unfortunately I have no idea what causes it and how to resolve the issue.

0 Karma

shariinPH
Contributor

i accidentally removed the "search" on the user capabilities, i didnt saved it but what happens next is that i cannot open everything even if i am using the admin role.

0 Karma

jeffland
SplunkTrust
SplunkTrust

See the answer there if it helps.

0 Karma

shariinPH
Contributor

thanks, will look for it.

0 Karma

shariinPH
Contributor

hi @jeffland i already added the admin_all_objects in the capability of the user access. but it does'nt hide the delete command in different objects. I want to restrict the user access to delete objects such as searches, field extractions, etc.

0 Karma

jeffland
SplunkTrust
SplunkTrust

Did you make sure that the knowledge objects in question have the right permissions? In particular, they must not be write-enabled for the "user" role.

0 Karma

shariinPH
Contributor

yes, they are not write enabled

0 Karma

jeffland
SplunkTrust
SplunkTrust

Then a user with the role of user should not be able to edit them (unless of course he created them and they are his "privately shared" knowledge objects).

0 Karma

shariinPH
Contributor

hello @jeffland, i can still see the delete option under the action column ..

0 Karma

jeffland
SplunkTrust
SplunkTrust

What exactly do your permissions for that object look like, i.e. what is ticked when you click "Permissions" in the list of saved searches?

0 Karma

shariinPH
Contributor

hi jeffland, here, refer to this image

0 Karma

jeffland
SplunkTrust
SplunkTrust

That looks allright.
Are you sure that your role "user" does not have the capability admin_all_objects? It should be disabled in the .conf file, and the user should also not inherit it from another role.

0 Karma

shariinPH
Contributor

@jeffland yes the user role does not have the capability admin_all_objects. by the way im using the default user role "user" . i did not create a new user access.

0 Karma

jeffland
SplunkTrust
SplunkTrust

And did you make sure that this user "user" is only assigned to this "user" role? If it is, then I can't think of another reason why your user is able to delete knowledge objects.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...