Splunk Search
Highlighted

controlling access to dashboard and search capability

Path Finder

I think this is a typical Splunk use case wherein, we want to give access to users who can only VIEW dashboards but should not query or issue search commands.

I see some documentation on this:
http://docs.splunk.com/Documentation/Splunk/5.0.4/Security/Addmanagementaccesstocustomroles
but, following this, it is still users to fire search queries.

For example, when a user has a access to a dashboard, and then, access the dashboard page, there is a small link called "view results". Upon clicking on view results, it is bring search box screen. How do we just give access to dashboard URLs alone and, no access search UI.

I tried the other approach of creating a new role with no search capability but, it is not allowing the user to view dashboards.

thanks..

Highlighted

Re: controlling access to dashboard and search capability

Splunk Employee
Splunk Employee

I've done this by hiding (using CSS) the "View results" link. Admittedly, it's a bit of a kludge, but at least stops the specific pain point.

You might also consider disallowing general users to the main "searchbar views". These are typically dashboard_live and flashtimeline; they live in the "search" app.

The CSS I used to hide those results is below. It would go into a file called 'application.css' in the appserver/static subdir of whatever app contains your dashboards.


/* Don't show the "View results" footer */
.ViewRedirectorLink {
display: none !important;
}

Highlighted

Re: controlling access to dashboard and search capability

SplunkTrust
SplunkTrust

I have tried following and its working fine for me.

  1. Create a Role, say dashboardUser. Set the default app and capabilities similar to "user" role. Assign this role to all the users which should just access dashboards and should not perform explicit search/query
  2. go to "User Interface>>Views"
  3. Uncheck "Show only objects created in this app context". this should show you all the views with Global permission. Specifically flashtimeline and dashboard_live view.
  4. change the permission for Read from "Everyone" to all the necessary roles excluding dashboard user.

THis should restrict the access to flashtimeline (screen to which generally people search). Repeat the same for all the views which provide direct search.

View solution in original post

Highlighted

Re: controlling access to dashboard and search capability

Path Finder

Hi,
Thank you so much. Could you please clarify on - "..capabilities similar to "user" role.."

Does this mean, create a new role and use Inheritance (from Manager/ACL/Roles) from role "User" (under selected column, in the UI).
Or should I create a new role with all the all the capabilities similar to user - meaning the following cap.s

changeownpassword
getmetadata
get
typeahead
inputfile
list
inputs
outputfile
request
remotetok
rest
appsview
rest
propertiesget
rest
propertiesset
schedule
rtsearch
search

Note that there is a capability - search include this..in the new role.?

0 Karma
Highlighted

Re: controlling access to dashboard and search capability

SplunkTrust
SplunkTrust

YOu should create a new role with all capabilities similar to user.
The capability search is required otherwise the dashboards searches also will not work.

0 Karma
Highlighted

Re: controlling access to dashboard and search capability

Path Finder

I tried exactly the same steps as you mentioned. My test userID gets 404 - with a message - " Splunk Cannot find the ...nameofmy_dash.. view - message - while accessing dashboard URL.

It seems like Search and Dashboard capabilities are tightly coupled. Either both are on or both are off 😞

0 Karma
Highlighted

Re: controlling access to dashboard and search capability

SplunkTrust
SplunkTrust

As part of step , did you change the permission for "nameofmydashboard" as well to exclude dashboarduser?? we should exclude only for flashtimeline and dashboardlive. ALso for any view that you have created which provides search bar. Your normal dashboards (which contains links 'View Result') should be made accessible.

0 Karma
Highlighted

Re: controlling access to dashboard and search capability

Path Finder

Thanks for the hint. My dashboard was with default permission for role user. I've added the new role too, in the permission list, for this dash. And hence, it works now 🙂
The test user is able to access dashboard. And he is not able to access search / flashtimeline as expected.

0 Karma
Highlighted

Re: controlling access to dashboard and search capability

New Member

The problem is that Splunk creates a default navigation menu for your new app. This default navigation menu is stored as the dashboards view inside the search app. The problem is that if you deny access to this app, then trying to view this dashboard will 404.

<nav search_view="search" color="#65A637"> <view name="dashboards" /> </nav> You need to do two things:

  1. Delete the search_view= parameter.
  2. Create the views that reference dashboards inside your dashboard_role only. Since you are restricting access to this view, you can no longer render what views are available dynamically.

For more info about customizing the navigation menu, see http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/BuildNavigation

0 Karma
Highlighted

Re: controlling access to dashboard and search capability

New Member

One other thing I noticed is that Splunk v6.0 does not appear to honor global permissions for your custom commands and macros if you restricting access to the search app. For instance, the gauge command is considered an advanced command and restricting access to the search app prevents the gauge command from being used.

The same problem happen for macros created in the search app. Without access to the search app, the global permissions seem to get ignored.

0 Karma