Security

Capability to assign to user role to view and add data inputs

apro
Path Finder

Hi,

What is the capability to assign to a user role so that it is able to access and configure data inputs via "Manager > Data Inputs" ?

"list_inputs" is already in and I've also tried to include "edit_tcp", "edit_udp", "edit_monitor" but the user account is still unable to access data inputs..

Tags (3)

Stephen_Sorkin
Splunk Employee
Splunk Employee

These pages are controlled by access control lists on manager objects rather than capabilities on the underlying splunk functionality. We're slowly moving splunkd from a capabilities-based model to an ACL model to better support granular control of various system and user objects.

To make these visible, edit $SPLUNK_HOME/etc/apps/search/metadata/local.meta and add additional roles to the read attributes of the following stanzas:

[manager/datainputstats]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_monitor]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_script]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_tcp_cooked]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_tcp_raw]
access = read : [ admin ], write : [ admin ]

[manager/data_inputs_udp]
access = read : [ admin ], write : [ admin ]

cmahan
Path Finder

Is this still valid? I have no [manager/data...... in that file at all. I do see the individual inputs that I would like my restricted user to have access to.. In my case they are website availability check (web_ping) inputs. I want certain users to be able to add or remove these checks. Can't find a particular capability to add to give view of the checks and ability to edit and do not see corresponding entries to what this article suggests 5 years ago...

0 Karma

tpsplunk
Communicator

with some help form splunk support this is now working. I had to do two things- one was make the changes to local.meta as explained by Stephen. It did need to go in the 'search' app. The second was to add the line "edit_monitor = enabled" under the appropriate role stanza in my local/authorize.conf file. after a restart of splunk the users in the edited role were able to use the add data app/button.

0 Karma

tpsplunk
Communicator

this did not work for me. I did it a little different- i am using searchead pooling and have a 'searchhead' app that is managed by my deployment server so i edited my searchhead/metadata/local.meta file and distrubuted it. once it showed up on my searchhead i restarted it and had the user try again- no luck. the user in question has a power user role so in each of the stanza's above I changed the access line to be: access = read : [ admin, power ], write : [ admin, power]

0 Karma

tpsplunk
Communicator

Hi stephen,
is this still a valid answer for splunk 4.3? or have further improvements been made?

I will test them in my local.meta file and report back

0 Karma

apro
Path Finder

Have tried restarting splunk services but still the same..

nope..no specific error as well...

0 Karma

jrodman
Splunk Employee
Splunk Employee

I don't know.

Have you restarted and/or reloaded auth? Those sound sufficient, but not sure. Do you get a specific error? This might be better as a support inquiry, if you don't get a quick answer here.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...