I have defined a role my_users
for which I want to limit available views in a default search app to "Search" and "Alerts".
I am trying to accomplish this through editing $SPLUNK_HOME/etc/apps/search/metadata/local.meta
file in a following way:
[views]
access = read : [ admin, power, user ], write : [ admin, power ]
[views/search]
access = read : [ admin, power, user, my_users ], write : [ admin, power ]
[views/alerts]
access = read : [ admin, power, user, my_users ], write : [ admin, power ]
Unfortunately users with my_users
role complitely loose access to Search app.
But when I explicetely specify access restrictions for remaining views in a Search app (total of 27 without "Alerts" and "Search", accessible from <host>:<port>/en-US/manager/search/data/ui/views
) with access = read : [ admin, power, user ], write : [ admin, power ]
and delete [views]
part in local.meta
I get desired result.
I need to know what views are covered with [views]
stanza of *.meta
file in Search app which are missed from <host>:<port>/en-US/manager/search/data/ui/views
, so that I would be able to explicetely allow them for my_users
role.
You were half-way there.
The reason why your first approach fails is because [views]
stanza functions counter-intuitively to splunk's usual config inheritance. What I mean by that is: [views/my_custom_view]
does NOT inherit whatever setting you configured in [views]
.
Instead... in order for user to be able to access/see a view, he/she needs read access in both [views/my_custom_view]
and [views]
This behavior is documented at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Defaultmetaconf
It states:
To access/use an object, users must have read access to:
- the app containing the object
- the generic category within the app (eg [views])
- the object itself
If any layer does not permit read access, the object will not be accessible.
You were half-way there.
The reason why your first approach fails is because [views]
stanza functions counter-intuitively to splunk's usual config inheritance. What I mean by that is: [views/my_custom_view]
does NOT inherit whatever setting you configured in [views]
.
Instead... in order for user to be able to access/see a view, he/she needs read access in both [views/my_custom_view]
and [views]
This behavior is documented at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Defaultmetaconf
It states:
To access/use an object, users must have read access to:
- the app containing the object
- the generic category within the app (eg [views])
- the object itself
If any layer does not permit read access, the object will not be accessible.
Hi @pmalcakdoj !
Ty for your reply.
So you mean to say I will not be able to restrict access within the app in a fast way. default.meta's stanzas behaviour is truly not like I expected them to be. Making manual restriction for every view every time is not very convinient.
Thank you for clarifing this for me.
That's correct - no "fast way".
And I agree, doing it one-by-one is rather tedious.
Normally, in custom apps, this isn't a big problem as you know what you put in those custom apps.
The problem is the search app. It is heavily integrated within splunk and you can't simply deny users access to it, or many other things would break as well.
You need to talk to @pmalcakdoj. He is the expert here.
Alright, I think I understand what you're looking for. There's probably more than one way to do it, but here's a method using the web ui:
Settings
> All Configurations
App Context
drop-down, choose Search & Reporting (search)
Show only objects created in this app context
box (or uncheck it depending on what you're targeting)Results per page
to 100
Config type
Config type
is view
You should see a list like this:
it's pretty easy to copy/paste these tables into MS Excel to manipulate the data if you need to
Hi, @fverdi
Ty for the reply.
My goal is to maximally restrict the access of the my_users
group to the Search application. I want to use [views]
stanza in the local.meta file to set up views that are accessible to all users except the user group my_users
. For my_users
, I want to explicitly set the settings for all stanza [views / <view-name>]
, which are necessary for the basic operation of the Search application. At the moment, I have explicitly specified settings for all 29 views that exist in the Search application.