Splunk Search

controlling access to dashboard and search capability

splunkears
Path Finder

I think this is a typical Splunk use case wherein, we want to give access to users who can only VIEW dashboards but should not query or issue search commands.

I see some documentation on this:
http://docs.splunk.com/Documentation/Splunk/5.0.4/Security/Addmanagementaccesstocustomroles
but, following this, it is still users to fire search queries.

For example, when a user has a access to a dashboard, and then, access the dashboard page, there is a small link called "view results". Upon clicking on view results, it is bring search box screen. How do we just give access to dashboard URLs alone and, no access search UI.

I tried the other approach of creating a new role with no search capability but, it is not allowing the user to view dashboards.

thanks..

1 Solution

somesoni2
Revered Legend

I have tried following and its working fine for me.

  1. Create a Role, say dashboardUser. Set the default app and capabilities similar to "user" role. Assign this role to all the users which should just access dashboards and should not perform explicit search/query
  2. go to "User Interface>>Views"
  3. Uncheck "Show only objects created in this app context". this should show you all the views with Global permission. Specifically flashtimeline and dashboard_live view.
  4. change the permission for Read from "Everyone" to all the necessary roles excluding dashboard user.

THis should restrict the access to flashtimeline (screen to which generally people search). Repeat the same for all the views which provide direct search.

View solution in original post

rogerhu
New Member

The problem is that Splunk creates a default navigation menu for your new app. This default navigation menu is stored as the dashboards view inside the search app. The problem is that if you deny access to this app, then trying to view this dashboard will 404.

<nav search_view="search" color="#65A637"> <view name="dashboards" /> </nav> You need to do two things:

  1. Delete the search_view= parameter.
  2. Create the views that reference dashboards inside your dashboard_role only. Since you are restricting access to this view, you can no longer render what views are available dynamically.

For more info about customizing the navigation menu, see http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/BuildNavigation

0 Karma

rogerhu
New Member

One other thing I noticed is that Splunk v6.0 does not appear to honor global permissions for your custom commands and macros if you restricting access to the search app. For instance, the gauge command is considered an advanced command and restricting access to the search app prevents the gauge command from being used.

The same problem happen for macros created in the search app. Without access to the search app, the global permissions seem to get ignored.

0 Karma

splunk47
New Member
You need to do two things:

1.Delete the search_view= parameter.
2.Create the views that reference dashboards inside your dashboard_role only. Since you are restricting access to this view, you can no longer render what views are available dynamically ??? kindly explain this two stpes

0 Karma

somesoni2
Revered Legend

I have tried following and its working fine for me.

  1. Create a Role, say dashboardUser. Set the default app and capabilities similar to "user" role. Assign this role to all the users which should just access dashboards and should not perform explicit search/query
  2. go to "User Interface>>Views"
  3. Uncheck "Show only objects created in this app context". this should show you all the views with Global permission. Specifically flashtimeline and dashboard_live view.
  4. change the permission for Read from "Everyone" to all the necessary roles excluding dashboard user.

THis should restrict the access to flashtimeline (screen to which generally people search). Repeat the same for all the views which provide direct search.

splunkears
Path Finder

Thanks for the hint. My dashboard was with default permission for role user. I've added the new role too, in the permission list, for this dash. And hence, it works now 🙂
The test user is able to access dashboard. And he is not able to access search / flashtimeline as expected.

0 Karma

somesoni2
Revered Legend

As part of step , did you change the permission for "name_of_my_dashboard" as well to exclude dashboarduser?? we should exclude only for flashtimeline and dashboard_live. ALso for any view that you have created which provides search bar. Your normal dashboards (which contains links 'View Result') should be made accessible.

0 Karma

splunkears
Path Finder

I tried exactly the same steps as you mentioned. My test userID gets 404 - with a message - " Splunk Cannot find the ...name_of_my_dash.. view - message - while accessing dashboard URL.

It seems like Search and Dashboard capabilities are tightly coupled. Either both are on or both are off 😞

0 Karma

somesoni2
Revered Legend

YOu should create a new role with all capabilities similar to user.
The capability search is required otherwise the dashboards searches also will not work.

0 Karma

splunkears
Path Finder

Hi,
Thank you so much. Could you please clarify on - "..capabilities similar to "user" role.."

Does this mean, create a new role and use Inheritance (from Manager/ACL/Roles) from role "User" (under selected column, in the UI).
Or should I create a new role with all the all the capabilities similar to user - meaning the following cap.s

change_own_password
get_metadata
get_typeahead
input_file
list_inputs
output_file
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
search

Note that there is a capability - search include this..in the new role.?

0 Karma

sowings
Splunk Employee
Splunk Employee

I've done this by hiding (using CSS) the "View results" link. Admittedly, it's a bit of a kludge, but at least stops the specific pain point.

You might also consider disallowing general users to the main "searchbar views". These are typically dashboard_live and flashtimeline; they live in the "search" app.

The CSS I used to hide those results is below. It would go into a file called 'application.css' in the appserver/static subdir of whatever app contains your dashboards.


/* Don't show the "View results" footer */
.ViewRedirectorLink {
display: none !important;
}

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...