Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Custom Role on ES
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have create a custom role and assigned the same permissions as ess_user, including adding it to the enforce_es_permissions setting. But for whatever reason the user doesn't see any notables on Mission Control (I get a Search did not return any findings or investigations). User also has access to the notable index and can see the events there when doing a normal search.
If I assign the ess_user role to the same user, the Mission Control panel gets populated.
Running on Splunk Cloud.
Anything I am missing or tips for debugging permission issues?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of cloning, try role inheritance, ess_user permissions may not be sufficient for Mission Control. Also make sure relevant mc_* capabilities are available for the new role.
Refer below, for creating role in Mission Control.
#https://help.splunk.com/en/splunk-enterprise-security-7/mission-control/investigate-and-respond-to-t...
Note: There might be some delay before your changes reflect in Mission Control.
Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @akai
As well as the new role having the capabilities from ess_user, you will also need to ensure it has permissions to see the relevant lookups , indexes and other knowledge objects which are managed within the app contexts not within the role itself.
Have you added your new custom role to the read permissions of the ES lookups and other knowledge objects such as the lookup definitions and macros?
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @livehybrid,
Thank you for the quick response!
As far as I can see the permissions on lookups and knowledge objects owned by ES are shared globally with Read all, so I assume at least being able to get the notables populated in Mission Control should be happening, as I mentioned, searching in the notable index does return data (the role also has access to index=*).
Anything specific I could check here? I am not sure if anything shows up in the internal indexes, regarding errors or whatnot.
EDIT: I would also add that I attempt to clone ess_user, but that did not change the result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of cloning, try role inheritance, ess_user permissions may not be sufficient for Mission Control. Also make sure relevant mc_* capabilities are available for the new role.
Refer below, for creating role in Mission Control.
#https://help.splunk.com/en/splunk-enterprise-security-7/mission-control/investigate-and-respond-to-t...
Note: There might be some delay before your changes reflect in Mission Control.
Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PrewinThomas,
I went ahead and set the inheritance for ess_user, and now I can see the notables on Mission Control with a user with the custom role. Unfortunately, this doesn't fix the root issue, which I think is more in-line with what @livehybrid mentioned, because even granting additional permission to own notables I still get errors when assigning the notables.
I would rather not inherit ess_analyst because it has permissions that I do not want to grant to this role.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After changing some more permissions and also changing the status transitions permissions (which took me forever to figure out I needed to do), everything seems to be working when inheriting the ess_user role, which is fine by me. I'm still not sure why this is necessary, but I can live with it for now.
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
