Splunk Enterprise

Changing permission of a private knowledge object makes all access inaccessible

burwell
SplunkTrust
SplunkTrust

Scenario on a SHC, Splunk 8.2.2.1

  • user1 and user2 are 2 users in role user
  • user1 who is in role user owns a private extraction (and saved searches). she is leaving the company and wants user2 to now own the knowledge object
  • admin does a reassign knowledge objects of all knowledge objects from user1 -> user2 (and yes they probably got the warning that this might make knowledge objects inaccessible)
  • now no one including admin can access this knowledge object from the UI or curl .. /services/configs/conf-props/extractnamehere/acl
  • Fortunately: the props.conf file in /opt/splunk/etc/users/user1/search/local/props.conf is still there

    Is there any other way the admin could gain access to this knowledge object other than grabbing the configs off the file system of the Splunk head?
Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
You should see those via Settings -> All configurations. If I recall right this is the only place in GUI (or at least which I have found) where the one can see users' private KOs.
r. Ismo
0 Karma

SinghK
Builder

Did you check if the object is showing under orphaned objects?

0 Karma

burwell
SplunkTrust
SplunkTrust

The object doesn't show under "All configurations"

0 Karma

SinghK
Builder

you can try what Ismo  said about creating the same user(exact user id that existed) locally on splunk. I have done that before same issue as you described and then it let le me reassign object to other user.

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi. Thanks for the responses.

So as an experiment with my two users.. I never removed the first user. I login locally and that user does not see their knowledge object (extract) BUT it is there on the local disk. So the meta data is gone I guess.

We had this happen on a SHC so I repo'd on a standalone head. I can totally reproduce this.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Can you try to create temporarily user1 as local on this SHC and see if those KOs are then available and can be copied/assigned again to user2?
0 Karma
Get Updates on the Splunk Community!

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...