Splunk ITSI

[subsearch]: command="getservice", [HTTP 403] Client is not authorized to perform requested action

theprophet01
Explorer

Hello Splunkers,

I have question, I'm trying to configure a custom role in Splunk where I'm assigning capabilities natively.  I'm recreating the default capabilities assigned to User in Splunk Enterprise and itoa_user in Splunk ITSI without using the inheritance option (doing this as a test so I can later remove capabilities as I need to). 

The problem I have is that once I save the role with all 65 matching capabilities selected and login as the testuser assigned to that role, dashboards that use the "getservice" command in their searches do not work and display the following error:

[subsearch]: command="getservice", [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ITOA/storage/collections/config/itsi_team

This issue does not happen when I simply select Inherit capabilities for User and itoa_user. Any ideas as to what could be causing this issue?

I'm running splunk version 9.1.1

Labels (3)
0 Karma
1 Solution

theprophet01
Explorer

Update

@ITWhisperer  you got me in the right direction. I was able to find the following article:

https://docs.splunk.com/Documentation/ITSI/4.19.0/Configure/CustomRoles

and was able to resolve the issue by including the new custom role under KV store collections:

itsi_services
itsi_teams

By using the following the steps:

Step 4: Assign the role KV store collection level access

The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections.

Set permissions to KV store collections in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
  3. Make sure Visible in the App is selected.
  4. Filter by collections-conf to only display KV store collections.
  5. For a specific view, click Permissions in the Sharing column.
  6. Check the boxes to grant read and write permissions to the various collections for ITSI roles.
  7. Click Save.

This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.

Set permissions to KV store collections from the command line

  1. Create a local.meta file in the SA-ITOA/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata
    cp default.meta local.meta
  2. Edit SA-ITOA/metadata/local.meta
  3. .
  4. Set access for specific roles in local.meta. For example:
    [collections/itsi_services]
    access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does your custom user (role) have the correct access to the ITSI app?

theprophet01
Explorer

Hi @ITWhisperer , thanks for reaching out,  as part of my test the ITSI app permissions are set to read and write for "Everyone". Also an app called ITOA Backend with folder name SA-ITOA has the same permissions set.

0 Karma

theprophet01
Explorer

Update

@ITWhisperer  you got me in the right direction. I was able to find the following article:

https://docs.splunk.com/Documentation/ITSI/4.19.0/Configure/CustomRoles

and was able to resolve the issue by including the new custom role under KV store collections:

itsi_services
itsi_teams

By using the following the steps:

Step 4: Assign the role KV store collection level access

The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections.

Set permissions to KV store collections in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
  3. Make sure Visible in the App is selected.
  4. Filter by collections-conf to only display KV store collections.
  5. For a specific view, click Permissions in the Sharing column.
  6. Check the boxes to grant read and write permissions to the various collections for ITSI roles.
  7. Click Save.

This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.

Set permissions to KV store collections from the command line

  1. Create a local.meta file in the SA-ITOA/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata
    cp default.meta local.meta
  2. Edit SA-ITOA/metadata/local.meta
  3. .
  4. Set access for specific roles in local.meta. For example:
    [collections/itsi_services]
    access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...