Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

[subsearch]: command="getservice", [HTTP 403] Client is not authorized to perform requested action

theprophet01
Explorer
‎07-11-2024 08:00 AM

Hello Splunkers,

I have question, I'm trying to configure a custom role in Splunk where I'm assigning capabilities natively.  I'm recreating the default capabilities assigned to User in Splunk Enterprise and itoa_user in Splunk ITSI without using the inheritance option (doing this as a test so I can later remove capabilities as I need to). 

The problem I have is that once I save the role with all 65 matching capabilities selected and login as the testuser assigned to that role, dashboards that use the "getservice" command in their searches do not work and display the following error:

[subsearch]: command="getservice", [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ITOA/storage/collections/config/itsi_team

This issue does not happen when I simply select Inherit capabilities for User and itoa_user. Any ideas as to what could be causing this issue?

I'm running splunk version 9.1.1

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

theprophet01
Explorer
‎07-11-2024 11:34 AM

Update

@ITWhisperer  you got me in the right direction. I was able to find the following article:

https://docs.splunk.com/Documentation/ITSI/4.19.0/Configure/CustomRoles

and was able to resolve the issue by including the new custom role under KV store collections:

itsi_services
itsi_teams

By using the following the steps:

Step 4: Assign the role KV store collection level access

The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections.

Set permissions to KV store collections in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
  3. Make sure Visible in the App is selected.
  4. Filter by collections-conf to only display KV store collections.
  5. For a specific view, click Permissions in the Sharing column.
  6. Check the boxes to grant read and write permissions to the various collections for ITSI roles.
  7. Click Save.

This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.

Set permissions to KV store collections from the command line

  1. Create a local.meta file in the SA-ITOA/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata
cp default.meta local.meta
  2. Edit SA-ITOA/metadata/local.meta
    3. .
  3. Set access for specific roles in local.meta. For example:
    [collections/itsi_services]
access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2024 08:16 AM

Does your custom user (role) have the correct access to the ITSI app?

Reply
Solved! Jump to solution

theprophet01
Explorer
‎07-11-2024 08:34 AM

Hi @ITWhisperer , thanks for reaching out,  as part of my test the ITSI app permissions are set to read and write for "Everyone". Also an app called ITOA Backend with folder name SA-ITOA has the same permissions set.

0 Karma
Reply
Solved! Jump to solution
Solution

theprophet01
Explorer
‎07-11-2024 11:34 AM

Update

@ITWhisperer  you got me in the right direction. I was able to find the following article:

https://docs.splunk.com/Documentation/ITSI/4.19.0/Configure/CustomRoles

and was able to resolve the issue by including the new custom role under KV store collections:

itsi_services
itsi_teams

By using the following the steps:

Step 4: Assign the role KV store collection level access

The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections.

Set permissions to KV store collections in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
  3. Make sure Visible in the App is selected.
  4. Filter by collections-conf to only display KV store collections.
  5. For a specific view, click Permissions in the Sharing column.
  6. Check the boxes to grant read and write permissions to the various collections for ITSI roles.
  7. Click Save.

This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.

Set permissions to KV store collections from the command line

  1. Create a local.meta file in the SA-ITOA/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata
cp default.meta local.meta
  2. Edit SA-ITOA/metadata/local.meta
    3. .
  3. Set access for specific roles in local.meta. For example:
    [collections/itsi_services]
access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]
0 Karma
Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...