Reporting

403 error following saved-search link

grahampoulter
Path Finder

An unprivileged user following the "Link to results" for the scheduled search email globally-shared saved search on Splunk 4.2 (Windows x64) that was created by admin results in a 403 error, but replacing the @go in the URL with "flashtimeline" shows the results.

Steps to reproduce:

  • Create a saved search from admin role, schedule it, and share with app or globally. That is, give read permission for Everyone.
  • Follow the "Link to Results" in the scheduled email, logging in as unprivileged User: Link to results: http://example.com:8000/app/search/@go? sid=scheduler__admin__search_TGl2ZSBXTUkgU1FMIEV4Y2VwdGlvbnM_at_1309182600_34add1b3a8f9c6a6
  • Receive 403 error >AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None`

If you replace the @go in the link with "flashtimeline", there is no 403 error and the search results display.

Alternatively, if you log in as an admin role instead of a user role, there is no 403 error and search results display.

I think there is a bug in the handling of the the @go part of the URL, causing a 403 response to users who are not admin or owner of the saved search, despite global sharing with "Everyone".

Related to Q10946

The user role already has the rest_properties_get capability.

1 Solution

piebob
Splunk Employee
Splunk Employee

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

View solution in original post

piebob
Splunk Employee
Splunk Employee

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...