Security

How to disable the schedule_rtsearch capability?

emiller42
Motivator

I would like to create a role which has the following attributes:

  • Allows both historical and realtime ad-hoc searches
  • Allows the scheduling of historical searches (for alerting and reporting)
  • Disallows the scheduling of realtime searches

This is because users have a tendency to pick the 'per-event' alerting option when creating alerts, which creates all-time, real-time searches. I want to prevent them from being able to do so, as it's very uncommon for a realtime alert to have appreciable value over a scheduled search running on a short interval.

However, the schedule_rtsearch capability is actually included in the [default] stanza of authorize.conf, meaning it is always enabled on any roles without having to inherit. Because capabilities only have one setting (enabled) I can't create a role with schedule_rtsearch=disabled to override that default.

Is there any way to disable this functionality?

1 Solution

dwaddle
SplunkTrust
SplunkTrust

As discussed in irc:

Make your own local/authorize.conf with:

[default]
schedule_rtsearch = 

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

As discussed in irc:

Make your own local/authorize.conf with:

[default]
schedule_rtsearch = 

bravon
Communicator

This doesnt answer why its enabled by default tho..

emiller42
Motivator

This appears to be working as desired! Thank you!

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...