Security

|rest - different results for admin and power roles

bmarona
Explorer

Hello,

Can anyone help me to find the issue and fix it? I need to grant permissions to use rest command to power role.

I want to list users and roles assigned to them for monthly control purposes:

| rest /services/authentication/users
| fields title roles
| rename title AS user
| search roles IN (power admin ess_analyst)
| stats values(roles) as roles by user

The control performer is user who has a power role and when we are running the same query i am collecting much more entries than he is. What capability is missing?

Power user capabilities:

accelerate_search
can_own_notable_events
change_own_password
dispatch_rest_to_indexers
edit_analyticstories
edit_glasstable
edit_notable_events
edit_search_schedule_window
edit_sourcetypes
edit_statsd_transforms
edit_tcp
edit_tcp_stream
edit_timeline
embed_report
export_results_is_visible
get_metadata
get_typeahead
input_file
list_inputs
list_metrics_catalog
list_search_head_clustering
output_file
pattern_detect
request_remote_tok
rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
run_collect
run_mcollect
schedule_rtsearch
schedule_search
search
search_process_config_refresh
Labels (1)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Have you tried to provide edit_user capability to power user? Here is description of edit_user capability.

edit_user   Lets the user create, edit, or remove users. A role with the edit_user capability can assign any role to other users. To limit this ability, configure grantableRoles in authorize.conf. For example: grantableRoles = role1;role2;role3. Also lets a user manage certificates for distributed search.
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...