I have a dashboard that only for some users (seems to be some new ones or long returning ones), is returning an "Action Forbidden." error message on panels. I have checked access permissions, but there are no differences to other users who are not receiving this error. I have also checked the enterprise docs, but can't find reference to this error message.
Dashboard Panel error message below.
Any help would be appreciated
Thanks for your response,
I've tested on an account with the exact same permissions, also other users within the same user group are not presenting the same issue.
The prevailing theory is that it is part of the search head configuration isn't replicating properly across the cluster, we have attempted to repair with a manual resync. We don't have a way to confirm though, as we've been unable to replicate the issue.
Hi
how you have check user's access rights? If you are just looking those from user settings, simple rest query or with btool from conf files you usually not get correct rights. The reason for this is that may times there are lot of different places where those rights has set and then splunk combines those together to get the real rights for user.
This is one app https://splunkbase.splunk.com/app/4111/ which I have used to check what are real rights for users. Maybe not perfect but at least I have found and merged/fixed some issues with it. There are some other apps & REST examples which you can use to figure out the situation on your environment.
r. Ismo