Splunk Enterprise

Splunk user role restriction

uagraw01
Motivator

Hello Splunker!!

Hope all is good.


I have created a new role in a splunk. I have added some users to that role. I need to restrict that role user to not be able to see the "All Configuration" option in the settings.  Please help me, what settings should I change to get my results?

uagraw01_0-1731410048060.png

 

What I have did so far, but nothing works for me.

[role_Splunk_engineer]
list_all_configurations = disabled
edit_configurations = disabled

Thanks in Advance.

Labels (2)
Tags (1)
0 Karma

sainag_splunk
Splunk Employee
Splunk Employee

@uagraw01 Please refer this https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/Authorizeconf

Based on what I see the role might have inherited "admin_all_objects" from a different role. & also check “edit_own_objects” and “list_all_objects” capabilities

[capability::admin_all_objects]

* Lets a user access all objects in the system, such as user objects and
  knowledge objects.
* Lets a user bypass any Access Control List (ACL) restrictions, similar
  to the way root access in a *nix environment does.
* the Splunk platform checks this capability when accessing manager pages and objects.

 
Use this 

 

./splunk btool authorize list role_Splunk_engineer --debug  

 






If this helps, please upvote.

uagraw01
Motivator

@sainag_splunk I selected below options, this made the settings hidden but the search option became unavailable to the user? 

uagraw01_0-1731478051077.png

I want below two options also make available to user.

uagraw01_1-1731478191017.png

 

 

0 Karma

uagraw01
Motivator

Is it possible to hide these two options also from the setting in Splunk ? 

uagraw01_0-1731563077787.png

 

0 Karma

sainag_splunk
Splunk Employee
Splunk Employee

@uagraw01 that is by splunk's default user role and recommended as best practices. That works with rest_properties_get but if you remove that, you will have different issues, I do not recommend that.

You have different ones which are not needed there like Data inputs, Tokens Server Settings these should be handled by admin.

Typical Splunk user role native capabilities.

Screenshot 2024-11-14 at 10.37.30 AM.png








If this helps, please Upvote. 


0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...