Hello.
I'm creating an Event Type like this;
curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes \
-d name="incident_1" \
--data-urlencode search=search="src_ip=10.0.0.1 sig_id=10001"
My RESTUser is a member of one role, the 'REST_API_User' which has the following capabilities;
rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
Then I want to change this Event Type from a private Event Type to an App-wide Event Type. I do this also through the REST API;
curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes/incident_1/acl \
-d perms.read=* \
-d perms.write=* \
-d sharing=app \
-d owner=RESTUser
However, now I am denied this action with the following error message;
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">User 'RESTUser' with roles { restuser, rest_api_user } cannot write: /nobody/search/eventtypes/incident_1 { read : [ * ], write : [ admin, power ] }, export: global, removable: no</msg>
</messages>
</response>
Why does it want to write to /nobody/search/...? I spesificially told it to update RESTUser/search/saved/eventtypes/incident_1 - No mention of /nobody/ ..
Why does it say write : [ admin, power ] - is this the default permission when creating an Event Type?
I even tried to add inheritance to the role REST_API_User, to inherit the role "user", but still no luck. If I login to the GUI with the role User added to me I do not see the "Permissions" link behind the "Sharing Private" for the line of this Event Type.
If I add the RESTUser with admin role - everything works nicely.
I am confused as what to do, as I don't want to give a system admin access to my Splunk just to add and update EventType ACL's. Isn't there a way to create an Event Type and simultaneously set the permissions? It seems to default be set to [ admin, power ].
Any advice out there?
... View more