Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I give a role read-only access to users?

dudhatjanhavi
Explorer
‎05-02-2023 09:41 AM

I created a new role in Splunk, let's say "RoleA". I want RoleA to be able to see a list of all users and see all related information (like name, email, roles assigned etc.). However I don't want to allow RoleA to edit those users, or create or delete them. 

When I remove 'edit_user' capability from RoleA, I can achieve the latter - it cannot create/edit/delete the users. However with that capability not assigned to RoleA, it can't see a list of all users.

Is there a way I can achieve both?

Labels (4)
0 Karma
Reply

dudhatjanhavi
Explorer
‎05-02-2023 01:57 PM

unfortunately using reports is not an option. I've been trying to use restmap.conf to change the capability required for a GET method accessing authentication/users.. Although no luck. For reference here's what it looks like:

[authentication-users:authentication-users]
match=/authentication/users
capability.get=admin_all_objects

 not sure what I might be doing wrong? This might be a better solution for my use case, if it works that is

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-02-2023 10:49 PM

It should not be a permission issue against the endpoint. You'll be able to run this search as any user:

| rest splunk_server=local services/authentication/users

But it'll only return what your roles permit you to see, i.e. only your own user or all users.

0 Karma
Reply

dudhatjanhavi
Explorer
‎05-04-2023 01:56 PM

Yeah, however i want this role to be able to get a list of all users when it hits that endpoint. I want it to be so that any role with the admin_all_objects capability can get a list of all users. They can't edit users,create new users, etc though

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-30-2023 02:40 AM

As I said earlier, I don't think this is possible. You could create an idea on ideas.splunk.com to have a "readonly-admin" role, but I am not sure if this is a very common request that will get many votes/attention.

Reply

jeffland
SplunkTrust
SplunkTrust
‎05-02-2023 12:11 PM

I don't think you can do this with permissions alone, as e.g. a call to services/authentication/users with | rest is also limited to your permissions and a "readonly" capability for users exists to my knowledge.

Depending on your use case, you could collect the users in a summary index or a lookup and have your role search that instead (or better yet, as rich mentioned while I was typing, use a report running as owner!)

Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-02-2023 12:07 PM

Create a report that uses REST to collect and present the desired information.  Set the report to Run As Owner then allow RoleA to read it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...