Solved: Re: Restrict users from export data

human96 · ‎03-30-2022

Hi splunkers,

i know how we can restrict users from export data in splunk web.

Does anyone happens to know , how can we restrict users from export data via RestAPI, CLI ?

VatsalJagani · ‎03-30-2022

If you don't want to allow them to export then you need to revoke their searching capability.

Because if they can search then Splunk doesn't have any control to stop them from exporting.

But anyways if you wish the user from running the search queries you can remove search capability from the role. (By default the role user has this capability.) - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities

VatsalJagani · ‎03-30-2022

If you don't want to allow them to export then you need to revoke their searching capability.

Because if they can search then Splunk doesn't have any control to stop them from exporting.

But anyways if you wish the user from running the search queries you can remove search capability from the role. (By default the role user has this capability.) - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities

human96 · ‎03-30-2022

Thanks for your response .

i have one more doubts.

Is it possible to set up a new port dedicated to API in splunk ?

if yes please tell me the process , Documentation would be appreciated.

VatsalJagani · ‎03-30-2022

No, I don't think so. The API works on Splunk's management port 8089.

Because they both are actually the same thing. Splunk does all its management through API as well.

human96 · ‎03-30-2022

is there any best practices for running Splunk's API from an external system?

Documentation would be appreciated.

VatsalJagani · ‎03-31-2022

See if you can use SDK because that would be much easier and take care of most of the best practices.

VatsalJagani · ‎03-30-2022

export_results_is_visible capability in the answer.
(Basically it will hide the "Export Results" button on Splunk Web. - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities )

By default, this capability is available with the user role. So you need to create a new role similar to the user but then exclude this capability.

Or you can modify the default user role and remove this capability. (If you want this to happen to specific users, don't take this approach)

human96 · ‎03-30-2022

Thanks for your quick response.

As i already mentioned i know "export _ results _ is _ visible" role capability makes the restriction on SplunkWeb.

i just want to restrict a specific user to export from RestAPI, CLI.

is it possible ?

VatsalJagani · ‎03-30-2022

Sorry about misunderstanding the question. Posted a seperate response//

How to restrict users from export data via RestAPI, CLI ?