Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Restrict access to read only also for admin

wealot
Explorer
‎01-09-2025 01:47 AM

Hi,

I have an app that is used for all the configurations that we have in Splunk Cloud. Quite a lot of users on our instance are admin (for good reasons that I don't want to get into 😄 ). Now because not all of those users are really "developer enthusiasts" they tend to sometimes make configuration changes through the GUI. For example disable a search in the GUI instead of nicely in the app (with pipeline etc) when they don't need it anymore. To try to make this impossible I changed the default.meta to:

 

 

[]
access = read : [ * ], write : []
export = system

 

But this doesn't seem to work and people can still disable savedsearches (and many other things).

Is there any way to disable write entirely for any content in the app?

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
3 weeks ago

@wealot- There is no clear document that we can do write: [], so I would suggest to test following. Not sure if this is best solution, but maybe this will work.

  • Create a role called role_for_no_one and do not assign this role to anyone.
    • Do not import this role from any other role.
  • Metadata
    • access = read: [*], write: [role_for_no_one]

 

I hope this helps!!!

0 Karma
Reply

wealot
Explorer
3 weeks ago

Actually did some further testing, but users with admin privileges seem to be immune to permissions in terms of editing apps. So for now there is no way to disallow admins to write to apps.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago

Admin is same as root *nix world. You could try different tricks to restrict what it can do, but there is always a way to avoid those restrictions!

To be honest your company must implement policies which are mandatory and if someone doesn’t follow it then there is some consequences for those. Otherwise there will be always some surprises time by time. Of course there should be some other ways to motivate your colleagues first to understand why there is policies and why everyone must following those.

0 Karma
Reply

wealot
Explorer
3 weeks ago

Yes seems that there is only a workaround available by using a non-used role. Although I do not know if this would in fact create issues up the road, we'll see!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
3 weeks ago

if my answer, answered your question please "Accept it as Solution".

If it helped you anyway, kindly upvote!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...