I created a new role in Splunk, let's say "RoleA". I want RoleA to be able to see a list of all users and see all related information (like name, email, roles assigned etc.). However I don't want to allow RoleA to edit those users, or create or delete them.
When I remove 'edit_user' capability from RoleA, I can achieve the latter - it cannot create/edit/delete the users. However with that capability not assigned to RoleA, it can't see a list of all users.
Is there a way I can achieve both?
unfortunately using reports is not an option. I've been trying to use restmap.conf to change the capability required for a GET method accessing authentication/users.. Although no luck. For reference here's what it looks like:
[authentication-users:authentication-users] match=/authentication/users capability.get=admin_all_objects
not sure what I might be doing wrong? This might be a better solution for my use case, if it works that is
It should not be a permission issue against the endpoint. You'll be able to run this search as any user:
| rest splunk_server=local services/authentication/users
But it'll only return what your roles permit you to see, i.e. only your own user or all users.
Yeah, however i want this role to be able to get a list of all users when it hits that endpoint. I want it to be so that any role with the admin_all_objects capability can get a list of all users. They can't edit users,create new users, etc though
As I said earlier, I don't think this is possible. You could create an idea on ideas.splunk.com to have a "readonly-admin" role, but I am not sure if this is a very common request that will get many votes/attention.
I don't think you can do this with permissions alone, as e.g. a call to services/authentication/users with | rest is also limited to your permissions and a "readonly" capability for users exists to my knowledge.
Depending on your use case, you could collect the users in a summary index or a lookup and have your role search that instead (or better yet, as rich mentioned while I was typing, use a report running as owner!)
Create a report that uses REST to collect and present the desired information. Set the report to Run As Owner then allow RoleA to read it.