Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I give a role read-only access to users?

dudhatjanhavi
Explorer
‎05-02-2023 09:41 AM

I created a new role in Splunk, let's say "RoleA". I want RoleA to be able to see a list of all users and see all related information (like name, email, roles assigned etc.). However I don't want to allow RoleA to edit those users, or create or delete them. 

When I remove 'edit_user' capability from RoleA, I can achieve the latter - it cannot create/edit/delete the users. However with that capability not assigned to RoleA, it can't see a list of all users.

Is there a way I can achieve both?

Labels (4)
0 Karma
Reply

dudhatjanhavi
Explorer
‎05-02-2023 01:57 PM

unfortunately using reports is not an option. I've been trying to use restmap.conf to change the capability required for a GET method accessing authentication/users.. Although no luck. For reference here's what it looks like:

[authentication-users:authentication-users]
match=/authentication/users
capability.get=admin_all_objects

 not sure what I might be doing wrong? This might be a better solution for my use case, if it works that is

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-02-2023 10:49 PM

It should not be a permission issue against the endpoint. You'll be able to run this search as any user:

| rest splunk_server=local services/authentication/users

But it'll only return what your roles permit you to see, i.e. only your own user or all users.

0 Karma
Reply

dudhatjanhavi
Explorer
‎05-04-2023 01:56 PM

Yeah, however i want this role to be able to get a list of all users when it hits that endpoint. I want it to be so that any role with the admin_all_objects capability can get a list of all users. They can't edit users,create new users, etc though

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-30-2023 02:40 AM

As I said earlier, I don't think this is possible. You could create an idea on ideas.splunk.com to have a "readonly-admin" role, but I am not sure if this is a very common request that will get many votes/attention.

Reply

jeffland
SplunkTrust
SplunkTrust
‎05-02-2023 12:11 PM

I don't think you can do this with permissions alone, as e.g. a call to services/authentication/users with | rest is also limited to your permissions and a "readonly" capability for users exists to my knowledge.

Depending on your use case, you could collect the users in a summary index or a lookup and have your role search that instead (or better yet, as rich mentioned while I was typing, use a report running as owner!)

Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-02-2023 12:07 PM

Create a report that uses REST to collect and present the desired information.  Set the report to Run As Owner then allow RoleA to read it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...