Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Restrict access to read only also for admin

wealot
Explorer
‎01-09-2025 01:47 AM

Hi,

I have an app that is used for all the configurations that we have in Splunk Cloud. Quite a lot of users on our instance are admin (for good reasons that I don't want to get into 😄 ). Now because not all of those users are really "developer enthusiasts" they tend to sometimes make configuration changes through the GUI. For example disable a search in the GUI instead of nicely in the app (with pipeline etc) when they don't need it anymore. To try to make this impossible I changed the default.meta to:

 

 

[]
access = read : [ * ], write : []
export = system

 

But this doesn't seem to work and people can still disable savedsearches (and many other things).

Is there any way to disable write entirely for any content in the app?

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎01-22-2025 10:34 PM

@wealot- There is no clear document that we can do write: [], so I would suggest to test following. Not sure if this is best solution, but maybe this will work.

  • Create a role called role_for_no_one and do not assign this role to anyone.
    • Do not import this role from any other role.
  • Metadata
    • access = read: [*], write: [role_for_no_one]

 

I hope this helps!!!

0 Karma
Reply

wealot
Explorer
‎01-23-2025 12:40 AM

Actually did some further testing, but users with admin privileges seem to be immune to permissions in terms of editing apps. So for now there is no way to disallow admins to write to apps.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-23-2025 12:20 PM

Admin is same as root *nix world. You could try different tricks to restrict what it can do, but there is always a way to avoid those restrictions!

To be honest your company must implement policies which are mandatory and if someone doesn’t follow it then there is some consequences for those. Otherwise there will be always some surprises time by time. Of course there should be some other ways to motivate your colleagues first to understand why there is policies and why everyone must following those.

0 Karma
Reply

wealot
Explorer
‎01-23-2025 12:05 AM

Yes seems that there is only a workaround available by using a non-used role. Although I do not know if this would in fact create issues up the road, we'll see!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎01-23-2025 08:15 AM

if my answer, answered your question please "Accept it as Solution".

If it helped you anyway, kindly upvote!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...