Splunk Search

How to restrict a user role to have access only to limited set of views in search app?

pkarpushin
Path Finder

I have defined a role my_users for which I want to limit available views in a default search app to "Search" and "Alerts".
I am trying to accomplish this through editing $SPLUNK_HOME/etc/apps/search/metadata/local.meta file in a following way:

[views]
access = read : [ admin, power, user ], write : [ admin, power ]

[views/search]
access = read : [ admin, power, user, my_users ], write : [ admin, power ]

[views/alerts]
access = read : [ admin, power, user, my_users ], write : [ admin, power ]

Unfortunately users with my_usersrole complitely loose access to Search app.
But when I explicetely specify access restrictions for remaining views in a Search app (total of 27 without "Alerts" and "Search", accessible from <host>:<port>/en-US/manager/search/data/ui/views) with access = read : [ admin, power, user ], write : [ admin, power ] and delete [views] part in local.meta I get desired result.

I need to know what views are covered with [views] stanza of *.meta file in Search app which are missed from <host>:<port>/en-US/manager/search/data/ui/views, so that I would be able to explicetely allow them for my_users role.

1 Solution

pmalcakdoj
Path Finder

You were half-way there.
The reason why your first approach fails is because [views] stanza functions counter-intuitively to splunk's usual config inheritance. What I mean by that is: [views/my_custom_view] does NOT inherit whatever setting you configured in [views].
Instead... in order for user to be able to access/see a view, he/she needs read access in both [views/my_custom_view] and [views]

This behavior is documented at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Defaultmetaconf
It states:

To access/use an object, users must have read access to:
- the app containing the object
- the generic category within the app (eg [views])
- the object itself
If any layer does not permit read access, the object will not be accessible.

View solution in original post

pmalcakdoj
Path Finder

You were half-way there.
The reason why your first approach fails is because [views] stanza functions counter-intuitively to splunk's usual config inheritance. What I mean by that is: [views/my_custom_view] does NOT inherit whatever setting you configured in [views].
Instead... in order for user to be able to access/see a view, he/she needs read access in both [views/my_custom_view] and [views]

This behavior is documented at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Defaultmetaconf
It states:

To access/use an object, users must have read access to:
- the app containing the object
- the generic category within the app (eg [views])
- the object itself
If any layer does not permit read access, the object will not be accessible.

pkarpushin
Path Finder

Hi @pmalcakdoj !
Ty for your reply.

So you mean to say I will not be able to restrict access within the app in a fast way. default.meta's stanzas behaviour is truly not like I expected them to be. Making manual restriction for every view every time is not very convinient.
Thank you for clarifing this for me.

0 Karma

pmalcakdoj
Path Finder

That's correct - no "fast way".
And I agree, doing it one-by-one is rather tedious.
Normally, in custom apps, this isn't a big problem as you know what you put in those custom apps.
The problem is the search app. It is heavily integrated within splunk and you can't simply deny users access to it, or many other things would break as well.

0 Karma

woodcock
Esteemed Legend

You need to talk to @pmalcakdoj. He is the expert here.

0 Karma

fverdi
Explorer

Alright, I think I understand what you're looking for. There's probably more than one way to do it, but here's a method using the web ui:

  1. From the Web UI, go to: Settings > All Configurations
  2. In the App Context drop-down, choose Search & Reporting (search)
  3. Check the Show only objects created in this app context box (or uncheck it depending on what you're targeting)
  4. Change Results per page to 100
  5. Sort by Config type
  6. Scroll to locate all of the items where the Config type is view

You should see a list like this:

  • alert
  • alerts
  • charting
  • dashboard
  • dashboard_live
  • dashboards
  • data_model_editor
  • data_model_explorer
  • data_model_manager
  • data_models
  • dataset
  • datasets
  • field_extractor
  • flashtimeline
  • integrity_check_of_installed_files
  • job_manager
  • licenseusage
  • live_tail
  • mod_setup
  • orphaned_scheduled_searches
  • pivot
  • report
  • report_builder_define_data
  • report_builder_display
  • report_builder_format_report
  • report_builder_print
  • reports
  • search
  • show_source

it's pretty easy to copy/paste these tables into MS Excel to manipulate the data if you need to

0 Karma

pkarpushin
Path Finder

Hi, @fverdi
Ty for the reply.

My goal is to maximally restrict the access of the my_users group to the Search application. I want to use [views] stanza in the local.meta file to set up views that are accessible to all users except the user group my_users. For my_users, I want to explicitly set the settings for all stanza [views / <view-name>], which are necessary for the basic operation of the Search application. At the moment, I have explicitly specified settings for all 29 views that exist in the Search application.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...