Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk setting roles

standias
Explorer
‎11-24-2010 08:39 AM

Hi,

I want to set role in Splunk such that user is restricted to only searching. NO admin privileges..

Manager>Roles

Role:

Capabilities:

   search

Index:

   muncher

Is only setting search enough under capabilities to restrict user to only searching for index muncher? Also if i want user to be able to create report/schedule search... will this capability allow that or I have to set additional capabilities.

get_typeahead? what exactly is this.. Does it autocomplete previously entered queries?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎11-24-2010 02:53 PM

You may want to include the following two capabilities for the user as well...

rest_properties_get

get_metadata

The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.

schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.

get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.

For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...

View solution in original post

Reply
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎11-24-2010 02:53 PM

You may want to include the following two capabilities for the user as well...

rest_properties_get

get_metadata

The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.

schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.

get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.

For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...

Reply
Solved! Jump to solution

sh1pit76
Explorer
‎10-08-2019 10:53 AM

I know this post is a bit old, but I'm curious what you meant when you said get_typeahead "could potentially reveal sensitive information." Can you give me an example when this would expose sensitive information? I was under the impression that get_typeahead works by comparing your search syntax to those you've entered previously. If this is true, wouldn't get_typeahead only reveal already known information to the user?

Thanks
Jason

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...