As a user with full admin capabilities I am able to create, save, and share a search. A user (without full admin capabilities) has reported that he is unable to share searches. He receives an error (white text on red background) that states:
Image: https://docs.google.com/file/d/0B3CL3cqI_mZ_R2w1MTcxeTR0cjQ/edit?usp=sharing
(I'd upload an in-line image, but I don't have enough karma yet...)
Splunk could not update permissions for resource admin/macros [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/USERNAME/search/admin/macros/ET1GRAB/acl
I've confirmed that their role has the rest_properties_view
capabilities, and I've reviewed the available (but withheld) capabilities and don't see any that look to be reasonable to add.
When I had them recreate the error I watched the log files when he did it and compared to when my admin account did it. The first time the logs differ appear to be in the splunkd_access.log
when this appears:
127.0.0.1 - idm_test01 [31/Jul/2013:17:04:18.213 -0400] "POST /servicesNS/nobody/search/saved/searches HTTP/1.1" 403 550 - - - 11ms
Any ideas where to track down this error?
I might have found the problem. I'm at 5.0.2, so reading the 5.0.3 release notes had this bug as being resolved:
Users with custom roles may receive "Client is not authorized to perform requested action..." error when attempting to change permissions of her/his own saved searches (SPL-58729)
I'll see if we can get our lab systems setup to test and confirm. If it solves the problem, I'll accept this answer (green check-mark).
I might have found the problem. I'm at 5.0.2, so reading the 5.0.3 release notes had this bug as being resolved:
Users with custom roles may receive "Client is not authorized to perform requested action..." error when attempting to change permissions of her/his own saved searches (SPL-58729)
I'll see if we can get our lab systems setup to test and confirm. If it solves the problem, I'll accept this answer (green check-mark).
We applied the 5.0.4 patch last week on the search heads and indexers, and this problem was resolved.
I've updated from 5.0.2 to 5.0.4 in our lab environment and it appears to have resolved this search problem. The change to production is scheduled for Friday night. I'll report back if this is the resolution.
I've seen the "write permission" role mentioned in similar documents, but I can't find a good description of the pros/cons of allowing this.
On page 42 of the "Splunk 5.0.3 Knowledge Manager Manual" (FWIW, I'm running 5.0.2) it states that "App-level write permissions are usually only granted to users with admin-equivalent roles."
That sounds like a high requirement so my general users can share searches.
Check whether that user role has write permissions to the app he's sharing into.