Hello Splunkers,
I have question, I'm trying to configure a custom role in Splunk where I'm assigning capabilities natively. I'm recreating the default capabilities assigned to User in Splunk Enterprise and itoa_user in Splunk ITSI without using the inheritance option (doing this as a test so I can later remove capabilities as I need to).
The problem I have is that once I save the role with all 65 matching capabilities selected and login as the testuser assigned to that role, dashboards that use the "getservice" command in their searches do not work and display the following error:
[subsearch]: command="getservice", [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ITOA/storage/collections/config/itsi_team
This issue does not happen when I simply select Inherit capabilities for User and itoa_user. Any ideas as to what could be causing this issue?
I'm running splunk version 9.1.1
Update
@ITWhisperer you got me in the right direction. I was able to find the following article:
https://docs.splunk.com/Documentation/ITSI/4.19.0/Configure/CustomRoles
and was able to resolve the issue by including the new custom role under KV store collections:
itsi_services
itsi_teams
By using the following the steps:
The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections.
This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.
cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata cp default.meta local.meta
[collections/itsi_services] access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]
Does your custom user (role) have the correct access to the ITSI app?
Hi @ITWhisperer , thanks for reaching out, as part of my test the ITSI app permissions are set to read and write for "Everyone". Also an app called ITOA Backend with folder name SA-ITOA has the same permissions set.
Update
@ITWhisperer you got me in the right direction. I was able to find the following article:
https://docs.splunk.com/Documentation/ITSI/4.19.0/Configure/CustomRoles
and was able to resolve the issue by including the new custom role under KV store collections:
itsi_services
itsi_teams
By using the following the steps:
The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections.
This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.
cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata cp default.meta local.meta
[collections/itsi_services] access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]