Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1099
Views
5
Helpful
3
Replies

Splunk permission for ANC using pxGrid

Go to solution
mikoconn
Cisco Employee
Cisco Employee

‎11-27-2017 10:16 AM

Hi,

We have two users in Splunk, one Admin, one Power User. The Admin can quarantine endpoints using pxGrid workflow actions but the Power User gets an authorisation error that appears to refer to a passwords file.

External search command 'pxgremediate' returned error code 1. Script output = "ERROR Could not get Splunk_TA_cisco-ise credentials from splunk. Error: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_cisco-ise/admin/passwords "

Please could you tell me if there is a way of getting the Power User, or any non-Admin user, to be able to initiate pxGrid actions without upgrading them to Admin?

Thanks,

Mike.

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mikoconn

‎11-28-2017 12:02 PM

mike thanks, from an offline discussion

The permission needed is list_storage_passwords, which gives the user permission to read all passwords for all apps on that Splunk instance (but not user passwords for logging into the Splunk UI). There’s no per-app security control in Splunk. So, there are some nasty security implications if there are several different user communities using different apps, but that’s not our case. I go the answer from https://answers.splunk.com/answers/536336/ive-created-a-custom-splunk-app-that-has-passwords.html.

View solution in original post

3 Replies 3

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-27-2017 03:13 PM

HI Mike,

Does the power user have UI permissions in ISE? You can use RBAC permissions for this and assign the right group for UI and data level access.

Thanks

Krishnan

Go to solution
mikoconn
Cisco Employee
Cisco Employee
In response to kthiruve

‎11-28-2017 09:49 AM

Hi Krishnan,

Thanks for getting back to me.  The Splunk admin has found the permission needed to pull in the password and it's now working.

Regards,

Mike.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mikoconn

‎11-28-2017 12:02 PM

mike thanks, from an offline discussion

The permission needed is list_storage_passwords, which gives the user permission to read all passwords for all apps on that Splunk instance (but not user passwords for logging into the Splunk UI). There’s no per-app security control in Splunk. So, there are some nasty security implications if there are several different user communities using different apps, but that’s not our case. I go the answer from https://answers.splunk.com/answers/536336/ive-created-a-custom-splunk-app-that-has-passwords.html.

Customers Also Viewed These Support Documents