Speaking with @woodcock about this case at What time frame does the auto for Schedule Window cover?
We would like to enforce auto
for the Schedule Window option.
My understating there was -
If we don't give the edit_search_schedule_window
capability to anyone, all will be set to auto
without the ability to change it - sounds good to me ; -)
However, we tested it and it was said -
I was doing some testing around the edit_search_schedule_window
capability and in my testing, which may be inaccurate, removing that capability removed more than just the ability to leverage/modify the schedule window…it also removed the user’s ability to schedule searches. This is in light of the role still having the schedule_search
capability.
Looks like this is affecting report
scheduling… alert
scheduling appears to be fine. More testing needed.
I can confirm that with schedule_search
capability only, we can't schedule Report. It looks like for Report Scheduling edit_search_schedule_window
capability is also require. And splunk by default ships edit_search_schedule_window
capability with user
role, so which means that to schedule any report we require both the capabilities (edit_search_schedule_window
and search
) OR might be a bug ?
I can confirm that with schedule_search
capability only, we can't schedule Report. It looks like for Report Scheduling edit_search_schedule_window
capability is also require. And splunk by default ships edit_search_schedule_window
capability with user
role, so which means that to schedule any report we require both the capabilities (edit_search_schedule_window
and search
) OR might be a bug ?
I would open a support case.
Much appreciated @harsmarvania57 and @woodcock !!! I'll open a support case.
Support is saying -
-- As fas a I know I have came across this issue before and this is not a bug effectively you need both of these capabilities to be able to schedule reports.
Does it make sense?
Push back and ask them Then why bother having 2 settings instead of just 1?
oh oh @woodcock - will do ; -)
Don't get your hopes up. Also ask them to document this on the docs page somewhere.
I know. I dealt with them quite a bit - more during the Hunk period of mine ; -)
Ok, Support got back to us pointing to https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Rolesandcapabilities
it says there -
-- Schedule search -> Lets the user schedule saved searches, create and update alerts, and review triggered alert information.
edit_search_schedule_window -> Lets the user assign schedule windows to scheduled reports. Requires the schedule_search capability. For more about the search scheduler, see the Knowledge Manager Manual.
The supporter added -
-- So, maybe the fact that you need both is due to the fact that schedule reports are like a saved searches that can have schedule windows.
Let me know what you think.
Splunk documentation is unbelievably excellent in almost every area EXCEPT FOR capabilities
. There is no clear mapping of exactly what each one does and which ones need to be grouped together for certain functions. We always resort to experimentation in this area. On person who has done much of this is @pmalcakdoj, who may be able to share on this topic.
I haven't done any work in that particular area, so I'm not sure either.
I do echo the same sentiment as above: splunk's capabilities logic is a magic blackbox.
One potential solution to the original question could be to use CSS/JS to hide/remove the Schedule Window option from UI.
It's a bandaid fix at best, I know.
Much appreciated @pmalcakdoj !!!
Thank you @woodcock !!! any ideas, by any chance, @pmalcakdoj?