Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I edit this search to give me the views I have access to not the views I own

tkwaller1
Path Finder
‎03-27-2025 09:07 AM

Simple search but Im having issues nailing down what I want to see.
This search returns all the views the logged in user owns.

| rest splunk_server=local /servicesNS/-/-/data/ui/views | rename author as user| search [| rest /services/authentication/current-context splunk_server=local| fields + username | rename username as user]
| rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table Dashboard


I would like to have it show all the views the logged in user has access to instead, not just the ones that are owned.


Thanks for the help

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2025 09:24 AM

Shortly:

  1. You must 1st expand all roles which that user has. Don't forget expand also inherited roles
  2. Then you must look in which apps user have read access by any of his/her roles
  3. And last look which views under those apps have read access for any roles what has applied for that user.
eai:acl.perms.read
admin
sc_admin

 

I think that you could found some answers which give SPL for item 1. But I haven't look/done those 2 and 3. So maybe you can found those or not?

r. Ismo

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-27-2025 09:32 AM

@isoutamo Surely using the REST call to `

| rest splunk_server=local /servicesNS/-/-/data/ui/views

Will only return views which the user is able to access, otherwise they wouldnt be returned from the API call?

The only thing they need to do is exclude themselves from eai:acl.owner if they dont want to see the ones they own

| rest splunk_server=local /servicesNS/-/-/data/ui/views 
| search NOT 
    [| rest /services/authentication/current-context splunk_server=local 
    | fields + username 
    | rename username as eai:acl.owner] 
| table label eai:acl.owner

Or just remove the user-context entirely to see all views they have access to

| rest splunk_server=local /servicesNS/-/-/data/ui/views 
| rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard 
| table App Dashboard

Unless I have the wrong end of the stick here?! @tkwaller1 🤔

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2025 09:37 AM

When you have access to use REST you will get also some other information as output than you could really access with GUI (I haven't test it currently). For that reason you see there also other dashboards by name even you haven't have access to those.

For that reason you must expand all roles which this user have and also check that user have access to apps where those dashboards are.

I can test this later on with my lab, but it takes some days before I have time for it.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-27-2025 09:47 AM

Wow, I hope that is not the case, because that endpoint returns "eai:data" which is the contents of the dashboard, this could contain sensitive information that shouldnt be exposed to people who dont have access to it. I'll go away and double check but this would be a big security issue for a number of my customers if that is the case!

I'm fairly certain it only returns dashboards you have access to but I will go away and verify!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-27-2025 09:19 AM

Hi @tkwaller1 

Just a small tweak to the SPL you already have, to use search NOT (current-context) and rename username to eai:acl.owner instead of user. This would filter out all the ones which the current user owns.

| rest splunk_server=local /servicesNS/-/-/data/ui/views 
| search NOT 
    [| rest /services/authentication/current-context splunk_server=local 
    | fields + username 
    | rename username as eai:acl.owner] 
| rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard 
| table Dashboard eai:acl.owner

If you just want to see all views which the user can access, then this will be any which are returned from the REST call

| rest splunk_server=local /servicesNS/-/-/data/ui/views 
| rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard 
| table App Dashboard eai:acl.owner

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...