|rest - different results for admin and power role...

bmarona · ‎03-27-2020

Hello,

Can anyone help me to find the issue and fix it? I need to grant permissions to use rest command to power role.

I want to list users and roles assigned to them for monthly control purposes:

| rest /services/authentication/users
| fields title roles
| rename title AS user
| search roles IN (power admin ess_analyst)
| stats values(roles) as roles by user

The control performer is user who has a power role and when we are running the same query i am collecting much more entries than he is. What capability is missing?

Power user capabilities:

accelerate_search
can_own_notable_events
change_own_password
dispatch_rest_to_indexers
edit_analyticstories
edit_glasstable
edit_notable_events
edit_search_schedule_window
edit_sourcetypes
edit_statsd_transforms
edit_tcp
edit_tcp_stream
edit_timeline
embed_report
export_results_is_visible
get_metadata
get_typeahead
input_file
list_inputs
list_metrics_catalog
list_search_head_clustering
output_file
pattern_detect
request_remote_tok
rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
run_collect
run_mcollect
schedule_rtsearch
schedule_search
search
search_process_config_refresh

harsmarvania57 · ‎03-27-2020

Hi,

Have you tried to provide edit_user capability to power user? Here is description of edit_user capability.

edit_user   Lets the user create, edit, or remove users. A role with the edit_user capability can assign any role to other users. To limit this ability, configure grantableRoles in authorize.conf. For example: grantableRoles = role1;role2;role3. Also lets a user manage certificates for distributed search.

|rest - different results for admin and power roles

permissions

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM