Fine-Grained Authorization for Saved Searches

Splunk is excited to provide fine-grained authorization for Knowledge Objects starting with Saved Searches. Saved Searches are the most used Knowledge Object (KOs), and admins spend the most time delegating access to users for Saved Searches.

Today, Splunk administrators rely on a broad capability called ‘admin_all_objects’ to grant access to non-administrator users to perform admin tasks. The ‘admin_all_objects’ capability lets users access and modify any object in the system regardless of the restrictions on those objects, thus granting “full” access to Splunk KOs and configurations. A driver for this change is to let administrators delegate the management of knowledge objects (KOs) for users based on the unique roles they perform without granting full access to all KOs.

Splunk will add new capabilities for managing and delegating access to KOs. These capabilities let Splunk administrators grant fine-grained authorization to roles that let users perform administrator-level activities for the KOs. Administrators will no longer need to provide full access to Splunk resources. This helps admins adhere to the “least privilege” access principle, which reduces operational burden. The delegation of administrator-level actions for KOs to certain privileged users in turn reduces the service level objective (SLO) time to complete admin-level activities.

New Admin Capabilities for Saved Searches

Many organizations that use the Splunk platform have dedicated teams which perform specific tasks that require admin-level access to certain KOs and functionality within the Splunk platform. These new capabilities empower admins to create team level admins with limited administrative access based on the role and activities defined for that team. For example, with the addition of new capabilities to manage saved searches, a team that is responsible for creating content on the Splunk platform can create and manage that content without using the 'admin_all_objects' capability. This will help the team with delegated access create content for their customer organizations without requiring super admin access, while protecting super admin bandwidth.

The three new capabilities that will unlock administrative activities related to saved searches are:

• Edit saved search: The ‘edit_saved_searches’ capability will let a role edit the search string, description, and earliest and latest times for the search. A user who is responsible for managing and keeping saved searches up to date can update these saved search fields and save these changes successfully.
• See (list) saved search: The ‘list_all_saved_searches’ capability will let a role view all saved searches on the system. This includes private saved searches and saved searches that are in private apps.
• Change ownership of saved search: The ‘edit_saved_search_owner’ capability will let a role change the saved search owner. The role might also need the 'list_all_users' capability to see all saved searches in the system.

Let’s Get Started

Administrators can create roles in the capabilities page and assign the roles to either a new or an existing role. The Splunk platform does not assign these capabilities to any role by default. Reserve these capabilities for high-privilege, trusted users, as they let users discover, modify, and change ownership of all saved searches. Consequently, the capabilities grant visibility to any active user that owns a saved search and any app that contains a saved search, regardless of Access Control List (ACL) permissions.

1. In this example, I created a new role called “Analysts” with the three new capabilities for managing saved searches.
   
   
   
   
2. I then assigned the “Analysts” role to the user.
   
   
   
   
3. I then validated the user’s access by navigating through the Settings pages to the “All Configurations” page, searching for saved searches. The user can see all the saved searches by any owner. Note: the user must hold a role with the “list_saved_searches” capability to see the full list of saved searches. Without it, the user can only see and modify the list of saved searches that they own.
   
   
   
   
4. I continued with validation by modifying the saved search. With these capabilities, a user can edit the search string, description, earliest time, and latest time fields of the saved search. Note: These capabilities override the permissions system for saved searches, allowing for full delegation of saved search management. The capabilities only give permissions for the user to modify saved searches that they can see.
   
   
   
   
5. I then validated the user’s new permissions to change the saved search owner by going through the Reassign Knowledge Objects workflow.
   
   
   
   
6. I searched for and selected the new saved search owner.
   
   
   
   
7. Next, I validated that the newly-selected user owns the saved search. This workflow helps users on a team manage ownership of saved searches without needing to contact an administrator, which cuts down on time and effort communicating and negotiating with administrators.
   
   
   
   

Learn more about this feature here.

Note: Only saved search owners can delete saved searches. To delete a saved search, a user with the correct permissions must reassign that saved search to themselves and then go through the search deletion workflow. These capabilities do not let users delete saved searches with no owner. Admins must still recreate the user who previously owned the object if the object is orphaned. See the Splunk documentation for more details.

What’s Next?

Splunk continues to iterate on providing fine-grained access to knowledge objects. It is working on the following customer ideas. Also, it is working to provide administrators with the ability to further scope down the saved searches that a role with these capabilities can manage.

• EID-I-1301: Individual User Permission Granularity for Objects
• EID-I-221: Group admin role to allow distributed administration of users and objects

Splunk values your ideas and votes. Please continue to submit Splunk ideas.

Happy Splunking!