Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I give a role read-only access to users?

dudhatjanhavi
Explorer
‎05-02-2023 09:41 AM

I created a new role in Splunk, let's say "RoleA". I want RoleA to be able to see a list of all users and see all related information (like name, email, roles assigned etc.). However I don't want to allow RoleA to edit those users, or create or delete them. 

When I remove 'edit_user' capability from RoleA, I can achieve the latter - it cannot create/edit/delete the users. However with that capability not assigned to RoleA, it can't see a list of all users.

Is there a way I can achieve both?

Labels (3)
0 Karma
Reply

dudhatjanhavi
Explorer
‎05-02-2023 01:57 PM

unfortunately using reports is not an option. I've been trying to use restmap.conf to change the capability required for a GET method accessing authentication/users.. Although no luck. For reference here's what it looks like:

[authentication-users:authentication-users]
match=/authentication/users
capability.get=admin_all_objects

 not sure what I might be doing wrong? This might be a better solution for my use case, if it works that is

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-02-2023 10:49 PM

It should not be a permission issue against the endpoint. You'll be able to run this search as any user:

| rest splunk_server=local services/authentication/users

But it'll only return what your roles permit you to see, i.e. only your own user or all users.

0 Karma
Reply

dudhatjanhavi
Explorer
‎05-04-2023 01:56 PM

Yeah, however i want this role to be able to get a list of all users when it hits that endpoint. I want it to be so that any role with the admin_all_objects capability can get a list of all users. They can't edit users,create new users, etc though

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎05-30-2023 02:40 AM

As I said earlier, I don't think this is possible. You could create an idea on ideas.splunk.com to have a "readonly-admin" role, but I am not sure if this is a very common request that will get many votes/attention.

Reply

jeffland
SplunkTrust
SplunkTrust
‎05-02-2023 12:11 PM

I don't think you can do this with permissions alone, as e.g. a call to services/authentication/users with | rest is also limited to your permissions and a "readonly" capability for users exists to my knowledge.

Depending on your use case, you could collect the users in a summary index or a lookup and have your role search that instead (or better yet, as rich mentioned while I was typing, use a report running as owner!)

Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-02-2023 12:07 PM

Create a report that uses REST to collect and present the desired information.  Set the report to Run As Owner then allow RoleA to read it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...