Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to save searches "[HTTP 403] Client is not authorized to perform requested action"

dglinder
Path Finder
‎08-01-2013 11:17 AM

As a user with full admin capabilities I am able to create, save, and share a search. A user (without full admin capabilities) has reported that he is unable to share searches. He receives an error (white text on red background) that states:

Image: https://docs.google.com/file/d/0B3CL3cqI_mZ_R2w1MTcxeTR0cjQ/edit?usp=sharing
(I'd upload an in-line image, but I don't have enough karma yet...)

Splunk could not update permissions for resource admin/macros [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/USERNAME/search/admin/macros/ET1GRAB/acl

I've confirmed that their role has the rest_properties_view capabilities, and I've reviewed the available (but withheld) capabilities and don't see any that look to be reasonable to add.

When I had them recreate the error I watched the log files when he did it and compared to when my admin account did it. The first time the logs differ appear to be in the splunkd_access.log when this appears:

127.0.0.1 - idm_test01 [31/Jul/2013:17:04:18.213 -0400] "POST /servicesNS/nobody/search/saved/searches HTTP/1.1" 403 550 - - - 11ms

Any ideas where to track down this error?

Reply
1 Solution
Solved! Jump to solution
Solution

dglinder
Path Finder
‎08-02-2013 09:10 AM

I might have found the problem. I'm at 5.0.2, so reading the 5.0.3 release notes had this bug as being resolved:

Users with custom roles may receive "Client is not authorized to perform requested action..." error when attempting to change permissions of her/his own saved searches (SPL-58729)

http://docs.splunk.com/Documentation/Splunk/5.0.3/ReleaseNotes/5.0.3#Resolved_search.2C_saved_search...

I'll see if we can get our lab systems setup to test and confirm. If it solves the problem, I'll accept this answer (green check-mark).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dglinder
Path Finder
‎08-02-2013 09:10 AM

I might have found the problem. I'm at 5.0.2, so reading the 5.0.3 release notes had this bug as being resolved:

Users with custom roles may receive "Client is not authorized to perform requested action..." error when attempting to change permissions of her/his own saved searches (SPL-58729)

http://docs.splunk.com/Documentation/Splunk/5.0.3/ReleaseNotes/5.0.3#Resolved_search.2C_saved_search...

I'll see if we can get our lab systems setup to test and confirm. If it solves the problem, I'll accept this answer (green check-mark).

0 Karma
Reply
Solved! Jump to solution

dglinder
Path Finder
‎08-16-2013 07:32 AM

We applied the 5.0.4 patch last week on the search heads and indexers, and this problem was resolved.

0 Karma
Reply
Solved! Jump to solution

dglinder
Path Finder
‎08-07-2013 11:58 AM

I've updated from 5.0.2 to 5.0.4 in our lab environment and it appears to have resolved this search problem. The change to production is scheduled for Friday night. I'll report back if this is the resolution.

0 Karma
Reply
Solved! Jump to solution

dglinder
Path Finder
‎08-02-2013 08:53 AM

I've seen the "write permission" role mentioned in similar documents, but I can't find a good description of the pros/cons of allowing this.

On page 42 of the "Splunk 5.0.3 Knowledge Manager Manual" (FWIW, I'm running 5.0.2) it states that "App-level write permissions are usually only granted to users with admin-equivalent roles."

That sounds like a high requirement so my general users can share searches.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-02-2013 04:43 AM

Check whether that user role has write permissions to the app he's sharing into.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...