All Apps and Add-ons

App appears to override role permissions

oliverrooney
New Member

I have created a role that has the following permissions:

[role_blah]
rtsearch = enabled
schedule_search = enabled
search = enabled
srchFilter = sourcetype=mysource (host=host1* OR host=host2*)
srchIndexesAllowed = myindex
srchIndexesDefault = myindex
srchMaxTime = 0

This works as expected in the search app. When I use another app (splunk license usage, incidentally) A user in this role (and no other role) is able to search the _internal index as well. To clarify I can't search the _internal index using search and reporting app, I hope due to index restriction in role definition, but I can using the license usage app.

Is this expected? I guess I can "fix" it by changing the permission on the app to only allow other roles, but there are many apps and many other objects to remove this permission from, and I expected the role definition to work across all apps.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Apparently saved searches owned by nobody are run as splunk-system-user, giving you implicit access to a small window into _internal. See http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/CreateandeditdashboardsviatheUI#Add_a_search.2... for the relevant docs describing how the user context for saved searches in dashboards works (H/T to @piebob!).

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Apparently saved searches owned by nobody are run as splunk-system-user, giving you implicit access to a small window into _internal. See http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/CreateandeditdashboardsviatheUI#Add_a_search.2... for the relevant docs describing how the user context for saved searches in dashboards works (H/T to @piebob!).

martin_mueller
SplunkTrust
SplunkTrust

Interesting... I'll grab the app and take a look myself.

0 Karma

oliverrooney
New Member

None of the searches in that app context are scheduled. They all show a scheduled time of "None". The data visible also appear to be up to date, at least no more than 10 minutes old. The dashboard is owned by "nobody".

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Is the dashboard using a saved search that's scheduled? If so, it'll be run in the context of the search's owner and you get the results from the most recent run.

0 Karma

oliverrooney
New Member

Hi Martin,

Thanks for your reply. I have run the rest command you suggested the results are exactly what I would expect from the role configuration above:

title   imported_srchDiskQuota  imported_srchFilter imported_srchIndexesAllowed imported_srchIndexesDefault imported_srchJobsQuota  imported_srchTimeWin    srchDiskQuota   srchFilter  srchIndexesAllowed  srchIndexesDefault  srchJobsQuota   srchTimeWin
role_blah   0               0   -1  100 sourcetype=mysource (host=host1 OR host=host2)  myindex myindex 3   -1

Interestingly I can see results on the app dashboard as this user and can see the underlying stats if I click the magnifying glass the see the search but the search returns no results if I try to re-run it. Is there any caching of the results of the saved search somehow?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That app doesn't do anything about roles, it doesn't even have an authorize.conf file included.

To check if something weird is going on with your role, run this search (might need an admin account):

| rest /services/authorization/roles/role_blah| table title *srch*

That lists the search-related settings for that role, along with imported settings from other roles.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...