How do I fix this 403 error I got after updating a...

chy1we1 · ‎07-12-2022

Hi, I'm new in Splunk alerting and I met a problem on changing alert permission by using ACL REST API.

I'm writing a script to help me create Splunk alerts through REST API, and I use the saved/searches endpoint to create a new alert and the everything goes well, the alert is created successfully.

Then I add `{alert_name}/acl` into the url and attempt to update the alert's permission which I have created before. But I receive an 403 error tell me "You do not have permission to change the owner of this object".

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">You do not have permission to change the owner of this object.</msg>
  </messages>
</response>

More confused is I can change the permission on Splunk Web GUI, I can see the "edit permission" button for this alert. BTW, my account doesn't have the admin role.

I have no ideas on this problem and I don't know whether it related to account role or any capability. Does anyone encountered the same problem? Need your help and much appreciate!

How do I fix this 403 error I got after updating a saved search permission by using ACL REST API?

alert action

alert condition

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?