Security

Where can we see access/permission issues?

danielbb
Motivator

We are moving several admin folks to be power users. During the transition we might have permission issue. Where can we see them?

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.

Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.

Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.

Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.

Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.

If my comment helps, please give it a thumbs up!

danielbb
Motivator

Thank you @nickhillscpl. If there are any errors, would they be in _internal or _audit?

0 Karma

nickhills
Ultra Champion

There wont be any errors, as there is no concept of "permission denied" (for users), so you wont see any errors anywhere.

Splunk will give you access to everything you have - if you dont have access to it, you simply wont be told that it even exists.

If my comment helps, please give it a thumbs up!

nickhills
Ultra Champion

Just thinking about this... rest api calls will fail if you don’t have permissions, so that is an exception.

Probably only an issue if any of your users are developers, in which case they will be logged in _internal

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...