Splunk Search

Restrict access to create dashboards and alerts and give access only to run search query

Ashwini008
Builder

Hi,

Basically i want to revoke write access to users but due to business requirements i am supposed to give access to users to run their search queries in search and reporting page in Splunk.

Problem:If i give access to search and reporting page to run the queries,user will be able to create dashboards ,alerts reports ,since dashboard & alert menus are present in navigation bar of search and reporting page .If i remove the access to search and reporting page user will not be able to run their query and see the output.

Is there a way where i can restrict the access to users so that user should be able to run only their queries and not access dashboard menu?

P.S.if i remove the default xml code for dashboard in navigation bar ,then it wont be able to access to admin as well.

Any solution on this issue would be great!

Thanks,

 

Labels (1)
Tags (1)
0 Karma

impurush
Contributor

@Ashwini008 

1. You can create a different app same like search and reporting, then give them access to those users which has the default.xml only search option.
2. You can remove the dashboards, alerts from the default so that it won't visible, and admins can access directly by accessing the URL.
(Example : https://<your_url>/app/search/dashboards)
3. Create one dashboard which has the links for dashboard, alerts and give the access to only admins, then remove the dashboard and alert from default.xml, then add the newly created dashboard, so that only admins can see the dashboard and access those links.

0 Karma

Ashwini008
Builder

Thanks for the response!

i tried the first option but after creating the copy of search app without dashboard menus,unless i give the role as "user" ,the person is not able to access the copy of search app.

And if i give the role as "user" ,the person is  able to access the normal search and reporting app as well.

1. You can create a different app same like search and reporting, then give them access to those users which has the default.xml only search option.

How do i proceed ?

0 Karma

impurush
Contributor

@Ashwini008 
1. Create a new app like a search app and remove the dashboard, alerts in default.xml.
2.  Create a new role and assign the the capabilities of "User" role. Do not inherit
3.  Create a user and assign a new role.
4. Give access to your new app to the new role.

0 Karma

Ashwini008
Builder

I created new app after removing the dashboard menus from the navigation bar

I created a new role with the same capabilities as the "USER" role and assigned it to the new user but still i am unable to access the search page.

Also i tried this method as well, I removed all the menus from original SEARCH AND REPORTING PAGE

i.e. i removed the the below details from the default.xml but the user is still able to access them through direct URL(ex: http://MYAPP//dashboards)

<view name="datasets" />
<view name="reports" />
<view name="alerts" />
<view name="dashboards" />

P.S.i have restricted the roles as well. 😞

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...