Splunk Enterprise Security
Highlighted

Dashboard permissions for on monitor/screen

Path Finder

I've set up a new Role & User called monitor for the task of displaying Enterprise Security dashboards on a monitor/screen in the building. It's important that this account cannot search through indexes normally and embedding panels is out of the question as well.

So I've copied the normal ES user permissions, made sure that the datamodel permissions are global same as field extractions etc.
Yet somehow most of the panels in ES give "No results found." for the Monitor role unless I add the User role under Inheritance. I've tried giving the role every index and every capability yet still "No results found" unless I let it inhereit the user (which does not have any different capabilities).

Am I missing a permission setting somewhere that I'm unaware of?

0 Karma
Highlighted

Re: Dashboard permissions for on monitor/screen

Super Champion

ES is a beast for permissions.
What you can try doing is to create a myuser role. inherit, the user role first into myuser. Add myuser to monitor role. Then try detaching individual capabilities from myuser role until it suits you.

0 Karma
Highlighted

Re: Dashboard permissions for on monitor/screen

Path Finder

The user role has permission to indexes for other actual ES users, which would mean the roles myuser and monitor would get access to search those indexes too though?

0 Karma
Highlighted

Re: Dashboard permissions for on monitor/screen

Champion

pretty sure your role needs to be able to search the indexes - otherwise, the searches behind the panels won't find any data. I don't think you can have a user just see the results of a search w/o giving them access to the data gathered by the search.

0 Karma
Highlighted

Re: Dashboard permissions for on monitor/screen

SplunkTrust
SplunkTrust

I understand what you said was important, but I don't understand why it is important. Presumably, a human user will use that service ID to start up a particular dashboard each day to display on various monitors and then that service ID will do nothing else, ever.

Therefore, that service ID needs access to the app containing that dashboard, and the underlying data, and nothing else.

Worst case scenario, if you felt you really had to lock it down, you could clone the panels to a new app and give that service ID only the new app... but that's a lot of work. More likely, you just set up an alert to detect when that service ID does anything that it has no business doing... at which point you march down and have a come-to-Jesus talk with Mr Curious.

0 Karma