We are moving several admin folks to be power users. During the transition we might have permission issue. Where can we see them?
You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.
Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.
Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.
You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.
Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.
Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.
Thank you @nickhillscpl. If there are any errors, would they be in _internal
or _audit
?
There wont be any errors, as there is no concept of "permission denied" (for users), so you wont see any errors anywhere.
Splunk will give you access to everything you have - if you dont have access to it, you simply wont be told that it even exists.
Just thinking about this... rest api calls will fail if you don’t have permissions, so that is an exception.
Probably only an issue if any of your users are developers, in which case they will be logged in _internal