Splunk Enterprise Security

Dashboard permissions for on monitor/screen

mmoermans
Path Finder

I've set up a new Role & User called monitor for the task of displaying Enterprise Security dashboards on a monitor/screen in the building. It's important that this account cannot search through indexes normally and embedding panels is out of the question as well.

So I've copied the normal ES user permissions, made sure that the datamodel permissions are global same as field extractions etc.
Yet somehow most of the panels in ES give "No results found." for the Monitor role unless I add the User role under Inheritance. I've tried giving the role every index and every capability yet still "No results found" unless I let it inhereit the user (which does not have any different capabilities).

Am I missing a permission setting somewhere that I'm unaware of?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I understand what you said was important, but I don't understand why it is important. Presumably, a human user will use that service ID to start up a particular dashboard each day to display on various monitors and then that service ID will do nothing else, ever.

Therefore, that service ID needs access to the app containing that dashboard, and the underlying data, and nothing else.

Worst case scenario, if you felt you really had to lock it down, you could clone the panels to a new app and give that service ID only the new app... but that's a lot of work. More likely, you just set up an alert to detect when that service ID does anything that it has no business doing... at which point you march down and have a come-to-Jesus talk with Mr Curious.

0 Karma

koshyk
Super Champion

ES is a beast for permissions.
What you can try doing is to create a myuser role. inherit, the user role first into myuser. Add myuser to monitor role. Then try detaching individual capabilities from myuser role until it suits you.

0 Karma

mmoermans
Path Finder

The user role has permission to indexes for other actual ES users, which would mean the roles myuser and monitor would get access to search those indexes too though?

0 Karma

maciep
Champion

pretty sure your role needs to be able to search the indexes - otherwise, the searches behind the panels won't find any data. I don't think you can have a user just see the results of a search w/o giving them access to the data gathered by the search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...