Hello.
I'm creating an Event Type like this;
curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes \
-d name="incident_1" \
--data-urlencode search=search="src_ip=10.0.0.1 sig_id=10001"
My RESTUser is a member of one role, the 'REST_API_User' which has the following capabilities;
rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
Then I want to change this Event Type from a private Event Type to an App-wide Event Type. I do this also through the REST API;
curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes/incident_1/acl \
-d perms.read=* \
-d perms.write=* \
-d sharing=app \
-d owner=RESTUser
However, now I am denied this action with the following error message;
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">User 'RESTUser' with roles { restuser, rest_api_user } cannot write: /nobody/search/eventtypes/incident_1 { read : [ * ], write : [ admin, power ] }, export: global, removable: no</msg>
</messages>
</response>
I am confused as what to do, as I don't want to give a system admin access to my Splunk just to add and update EventType ACL's. Isn't there a way to create an Event Type and simultaneously set the permissions? It seems to default be set to [ admin, power ].
Any advice out there?
In addition to all the roles and the event type, you must have write permission to the parent app.
Hello. I will try to give RESTUser write to the app.