Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

restrict users from deleting other users knowledge objects

kranthimutyala
Path Finder
‎09-15-2020 01:05 AM

Hi Everyone,

I need some help in restrict users from deleting other users knowledge objects.Recently one of the user has deleted the alerts which belongs to  other team.We need to restrict them in deleting other KO's and they have only the capability of deleting their own and share their KO's globally. All this is related to search and reporting app.

Below is the existing config which we are using currently.Kindly advise me on tweaking the setting to achieve the above mentioned restrictions.

 

[role_vpn]
accelerate_search = enabled
cumulativeRTSrchJobsQuota = 50
edit_search_schedule_window = enabled
export_results_is_visible = enabled
get_metadata = enabled
get_typeahead = enabled
pattern_detect = enabled
rest_properties_get = enabled
rtSrchJobsQuota = 5
rtsearch = enabled
schedule_search = enabled
search = enabled
srchDiskQuota = 200
srchIndexesAllowed = vpn
srchIndexesDefault = vpn
srchJobsQuota = 20
srchMaxTime = 0

And the permission for search and reporting are as follows.

[]
access = read : [ * ], write : [ * ]
export = none

Thank you.

 

 

Labels (4)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-15-2020 01:16 AM

user from the above role role_vpn deleted KO's of other user?

————————————
If this helps, give a like below.
0 Karma
Reply

kranthimutyala
Path Finder
‎09-15-2020 03:55 AM

@thambisetty  yes all have write access to search app , we gave write access to enable sharing option , but some users without knowledge are deleting others KOs(including other KOs created by other roles).

The config which I shared is same for all the roles.Any help is highly appreciated.Thanks

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-15-2020 10:40 AM
I propose that you will add separate apps for those groups and then create roles per app. Then all write should be done via those. Personally I don’t like the idea that all users can share KOs globally. Usually this generates more issues than solves those especially when you are using those separate apps and sharing KOs only in app level.
r. Ismo
0 Karma
Reply

kranthimutyala
Path Finder
‎09-15-2020 07:58 PM

@isoutamo  Thanks for the reply.Can we update the existing roles where users get the capability to share but not delete the objects of others within search app,  rather than creating a lot of new apps for each role

 

@niketn 

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-15-2020 10:06 PM
I don’t think so. If user has the write/modify capability then they can also delete.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...