"Capability" attribute not working in restmap.conf...

zahrasidhpuri · ‎01-19-2020

The documentation for 'restmap.conf' can be obtained here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Restmapconf
The purpose of the 'capability' attribute is to restrict a user without that particular capability to hit that endpoint. I used the attribute to do the same. But I observed some anomaly here. It is as described below:

[admin_external:splunk_ta_addon_server]
handlertype = python
handlerfile = splunk_ta_addon_rh_server.py
handleractions = edit, list, remove, create
handlerpersistentmode = true
capability = admin_all_objects

As per the Splunk docs, a user without this capability should not be able to access the 'splunk_ta_addon_server' endpoint. But in this case, it allows the user to access the endpoint.

But when I added the same attribute in a different stanza, as displayed below, the attribute is working fine and it does not allow the user to access the restricted endpoint.

    [admin:splunk_ta_authorized]
    match = /
    members = splunk_ta_addon_server
    capability= admin_all_objects

Can anyone please explain, why is there such a difference in the behaviour of the attribute in different stanzas? Am I missing something here?

"Capability" attribute not working in restmap.conf in Splunk.

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector