Security

Admins can't see private searches/reports/alerts

alekksi
Communicator

Hi all,

As an admin user, I am unable to see private dashboards and searches saved by some users. I know that a number of these exist, including some from users who have now left the company. What is the easiest way of cleaning up these objects?

I can confirm that the admin role has the 'admin_all_objects' capability.

Thanks in advance,
Alex

0 Karma
1 Solution

chimell
Motivator

Hi alekksi

Verify if in your splunk instance Admin Role has all the following selected capabilities

accelerate_datamodel
admin_all_objects
change_authentication
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_forwarders
edit_httpauths
edit_input_defaults
edit_monitor
edit_roles
edit_scripted
edit_search_head_clustering
edit_search_scheduler
edit_search_server
edit_server
edit_splunktcp
edit_splunktcp_ssl
edit_tcp
edit_token_http
edit_udp
edit_user
edit_view_html
edit_web_settings
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
get_diag
indexes_edit
license_edit
license_tab
list_deployment_client
list_deployment_server
list_forwarders
list_httpauths
list_pdfserver
list_search_head_clustering
list_search_scheduler
list_win_localavailablelogs
rest_apps_management
restart_splunkd
run_debug_commands
web_debug

Verify also imported capabilities

accelerate_search
change_own_password
edit_sourcetypes
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search

View solution in original post

hredd
New Member

I dont follow. Going to Settings -> All Configurations just brings you to 20+ pages of indecipherable object names. The answer for this question does not address what someone using Splunk Web would do in order to change the permissions required to see alerts that a user has made and never shared globally.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Check under Settings -> All Configurations . You should be able to see all dashboards under config type view and similarly other objects as well. You might need to edit permissions there to share from private to Global to list them under dashboards

Happy Splunking!

norbertkiammacl
Explorer

Worked like a charm!

0 Karma

jplumsdaine22
Influencer

I don't think you can actually view the dashboard - you can only see the object in the manager list, and edit its permissions. You will have to manually set permissions to allow the admins role to "read" the view/search etc.

alekksi
Communicator

Yep -- you're right for this one. Thanks

0 Karma

chimell
Motivator

Hi alekksi

Verify if in your splunk instance Admin Role has all the following selected capabilities

accelerate_datamodel
admin_all_objects
change_authentication
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_forwarders
edit_httpauths
edit_input_defaults
edit_monitor
edit_roles
edit_scripted
edit_search_head_clustering
edit_search_scheduler
edit_search_server
edit_server
edit_splunktcp
edit_splunktcp_ssl
edit_tcp
edit_token_http
edit_udp
edit_user
edit_view_html
edit_web_settings
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
get_diag
indexes_edit
license_edit
license_tab
list_deployment_client
list_deployment_server
list_forwarders
list_httpauths
list_pdfserver
list_search_head_clustering
list_search_scheduler
list_win_localavailablelogs
rest_apps_management
restart_splunkd
run_debug_commands
web_debug

Verify also imported capabilities

accelerate_search
change_own_password
edit_sourcetypes
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search

alekksi
Communicator

I can verify that, of the top list, the following are missing:
edit_search_scheduler (doesn't exist in 6.2.3, the current version we're on -- should be moving to 6.3.x in a month or so)
edit_token_http
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
list_pdfserver
list_search_scheduler
list_win_localavailablelogs
web_debug (doesn't exist in 6.2.3)

Of the bottom list, I'm not sure exactly how to get most of these are turned on -- only schedule_rtsearch is appearing -- but I'm sure that a number of these are turned on for admin users.

0 Karma

chimell
Motivator

my Splunk instance is version 6.3.2 then it is possible that we have difference.Just add the capabilities which are absent to complete the list and re test

0 Karma

alekksi
Communicator

Seems to work fine. Thanks a lot mate 🙂

0 Karma

chimell
Motivator

you are welcome

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...