- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Where can we see access/permission issues?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are moving several admin folks to be power users. During the transition we might have permission issue. Where can we see them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.
Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.
Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.
Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.
Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @nickhillscpl. If there are any errors, would they be in _internal or _audit?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There wont be any errors, as there is no concept of "permission denied" (for users), so you wont see any errors anywhere.
Splunk will give you access to everything you have - if you dont have access to it, you simply wont be told that it even exists.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just thinking about this... rest api calls will fail if you don’t have permissions, so that is an exception.
Probably only an issue if any of your users are developers, in which case they will be logged in _internal
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
