Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why was I able to edit an inline extraction where my role only has "read" permission

ksoucy
Path Finder
‎05-03-2017 12:24 PM

I was able to edit and save an existing inline extraction (not owned by me), as a regular user assigned to a role that does not have write permission for the extraction. How can this be?

The extraction is the delivered "django_access : EXTRACT-extract_spent" extraction that grants Read access to Everyone, but does not grant Write access to my role:
alt text

These are the capabilities assigned to my role:
[role_lvmvuser]
admin_all_objects = enabled
change_own_password = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
pattern_detect = enabled
rest_properties_get = enabled
schedule_search = enabled
search = enabled
search_process_config_refresh = enabled
srchIndexesAllowed = lvmv
srchIndexesDefault = lvmv
srchMaxTime = 0

Is there a capability that is allowing me to edit an extract event though the extract shows I dont have write permission? Is this a security flaw in Splunk?
This issue will prevent us from deploying Splunk in out organization as we need to be able to secure extractions, etc. based on the permissions set.

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-03-2017 04:14 PM

The admin_all_objects = enabled capability lets your role edit any object in Splunk regardless of the object's permissions.

See: https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-03-2017 04:14 PM

The admin_all_objects = enabled capability lets your role edit any object in Splunk regardless of the object's permissions.

See: https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

0 Karma
Reply
Solved! Jump to solution

ksoucy
Path Finder
‎05-04-2017 05:51 AM

Mason, I agree that is why any user is able to edit any saved extraction, etc., however when we remove that capability from the role it prevents a user from saving any extractions, etc. Users receive this error:

User 'xxxxxxx' with roles { lvmvuser, xxxxxx } cannot write: /nobody/search/props/lvmump-access/EXTRACT-lvmump-access-log { read : [ * ], write : [ admin, power ] }, export: global, removable: no

Do you know of another capability that gives users the ability to create and save objects?

Thks

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎05-03-2017 02:08 PM

IMO, Culprit is admin_all_objects = enabled. Which allows you to edit all objects (admin privileges). If you're a regular user or have regular user role, this capability shouldn't be there.

0 Karma
Reply
Solved! Jump to solution

ksoucy
Path Finder
‎05-04-2017 05:37 AM

Normally I would agree with you, however we found that we were not able to save the inline extracts, reports, etc. if we did not have the admin_all_objects capability. Do you know of a different capability that provides the ability to create/save extracts, etc. ?

Thks

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...