Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where can we see access/permission issues?

danielbb
Motivator
‎02-20-2020 04:26 AM

We are moving several admin folks to be power users. During the transition we might have permission issue. Where can we see them?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-20-2020 05:22 AM

You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.

Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.

Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-20-2020 05:22 AM

You are unlikely to see permissions issues per-se, however your users may find that they cant do things they used to be able to do.
(options missing, unable to modify settings etc)
As such there will be no errors logged as the user simply will not have the options they previously expected.

Howevr pay note to index permissions - no errors will be logged, but if your users had searches in indexes to which they previously had permission (and now do not) then thier searches will simply ignore data in the now restricted index. No error would be logged, but the search results will not contain results from those indexes.

Generally speaking this process is not as fraught as it might appear - after the change ask users to check reports that they are receiving to ensure they are complete, and dashboards etc look as they should. The permissions (or caperbility) limitation is normally trivial.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

danielbb
Motivator
‎02-20-2020 06:43 AM

Thank you @nickhillscpl. If there are any errors, would they be in _internal or _audit?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-20-2020 06:52 AM

There wont be any errors, as there is no concept of "permission denied" (for users), so you wont see any errors anywhere.

Splunk will give you access to everything you have - if you dont have access to it, you simply wont be told that it even exists.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-20-2020 07:08 AM

Just thinking about this... rest api calls will fail if you don’t have permissions, so that is an exception.

Probably only an issue if any of your users are developers, in which case they will be logged in _internal

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...