Splunk Enterprise

Changing permission of a private knowledge object makes all access inaccessible

burwell
SplunkTrust
SplunkTrust

Scenario on a SHC, Splunk 8.2.2.1

  • user1 and user2 are 2 users in role user
  • user1 who is in role user owns a private extraction (and saved searches). she is leaving the company and wants user2 to now own the knowledge object
  • admin does a reassign knowledge objects of all knowledge objects from user1 -> user2 (and yes they probably got the warning that this might make knowledge objects inaccessible)
  • now no one including admin can access this knowledge object from the UI or curl .. /services/configs/conf-props/extractnamehere/acl
  • Fortunately: the props.conf file in /opt/splunk/etc/users/user1/search/local/props.conf is still there

    Is there any other way the admin could gain access to this knowledge object other than grabbing the configs off the file system of the Splunk head?
Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
You should see those via Settings -> All configurations. If I recall right this is the only place in GUI (or at least which I have found) where the one can see users' private KOs.
r. Ismo
0 Karma

SinghK
Builder

Did you check if the object is showing under orphaned objects?

0 Karma

burwell
SplunkTrust
SplunkTrust

The object doesn't show under "All configurations"

0 Karma

SinghK
Builder

you can try what Ismo  said about creating the same user(exact user id that existed) locally on splunk. I have done that before same issue as you described and then it let le me reassign object to other user.

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi. Thanks for the responses.

So as an experiment with my two users.. I never removed the first user. I login locally and that user does not see their knowledge object (extract) BUT it is there on the local disk. So the meta data is gone I guess.

We had this happen on a SHC so I repo'd on a standalone head. I can totally reproduce this.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Can you try to create temporarily user1 as local on this SHC and see if those KOs are then available and can be copied/assigned again to user2?
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...