Security

View only User

florianhh
Explorer

Hello Splunkys,

i read this post Link on the Splunk Forum. 

I created a App and it only contains 1 dashboard. I create a user that has only access to this app.

But you can't disable the users permission to view the search app.

If you do that you get a 500 error after logging in. 

If you dont do it and allow view for the search app then it works but then the user is able to search more.

Also Basically every think in Splunk that is clickable at that point will prompt you with a 500 internal server error page. Thats not cool.

We need a Role for Helpdesk personal that shows something but we do not want that these persons can lookup some spl and spy on employee's.

Labels (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @florianhh 

One way to control is having searchFilter and allow only indexes that you want this person to see at app level.

Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.

#authorize.conf should be deployed to Search head
## Same can be accomplished in UI
[role_ninja]
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = index1

---

An upvote would be appreciated if it helps!

florianhh
Explorer

Thank you !

I've tried that from the WebUI but it did not work.

I now did it trough  the .conf file as you suggested and now it works.

Oddly now the webUI Shows (EventCode::4740)  as filter.  Why is that odd format with :: ?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@florianhh 

:: is used for indexed fields preferred by Splunk. Otherwise EventCode=1234 OR EventCode::1234 both are same. If EventCode is not an indexed field with :: you won't get any results. It's always better to search in UI first and add it to search filter.

--

An upvote would be appreciated if it helps!

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...