Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard permissions for on monitor/screen

mmoermans
Path Finder
‎07-07-2017 06:23 AM

I've set up a new Role & User called monitor for the task of displaying Enterprise Security dashboards on a monitor/screen in the building. It's important that this account cannot search through indexes normally and embedding panels is out of the question as well.

So I've copied the normal ES user permissions, made sure that the datamodel permissions are global same as field extractions etc.
Yet somehow most of the panels in ES give "No results found." for the Monitor role unless I add the User role under Inheritance. I've tried giving the role every index and every capability yet still "No results found" unless I let it inhereit the user (which does not have any different capabilities).

Am I missing a permission setting somewhere that I'm unaware of?

0 Karma
Reply

DalJeanis
Legend
‎07-08-2017 02:32 PM

I understand what you said was important, but I don't understand why it is important. Presumably, a human user will use that service ID to start up a particular dashboard each day to display on various monitors and then that service ID will do nothing else, ever.

Therefore, that service ID needs access to the app containing that dashboard, and the underlying data, and nothing else.

Worst case scenario, if you felt you really had to lock it down, you could clone the panels to a new app and give that service ID only the new app... but that's a lot of work. More likely, you just set up an alert to detect when that service ID does anything that it has no business doing... at which point you march down and have a come-to-Jesus talk with Mr Curious.

0 Karma
Reply

koshyk
Super Champion
‎07-07-2017 07:48 AM

ES is a beast for permissions.
What you can try doing is to create a myuser role. inherit, the user role first into myuser. Add myuser to monitor role. Then try detaching individual capabilities from myuser role until it suits you.

0 Karma
Reply

mmoermans
Path Finder
‎07-07-2017 07:56 AM

The user role has permission to indexes for other actual ES users, which would mean the roles myuser and monitor would get access to search those indexes too though?

0 Karma
Reply

maciep
Champion
‎07-07-2017 08:30 AM

pretty sure your role needs to be able to search the indexes - otherwise, the searches behind the panels won't find any data. I don't think you can have a user just see the results of a search w/o giving them access to the data gathered by the search.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...