Manage app permissions in Splunk Cloud Platform

The Admin Config Service (ACS) API lets you programmatically assign read and write permissions for apps to specific roles in Splunk Cloud Platform. You can use this functionality to grant access to an app for certain roles while hiding the app from other roles on individual search heads or search head clusters.

The ability to control app visibility on search heads by role is particularly useful in Victoria Experience, where apps are installed and visible by default on all search heads across the deployment. For more information on app installation behavior, see How self-service app installation works in Victoria Experience.

You can use the ACS API to assign app read and write permissions to roles for both private apps and splunkbase apps.

For instructions on how to use the ACS API to manage roles, see Manage roles, users and capabilities in Splunk Cloud Platform. For more information on role-based access control (RBAC) in Splunk Cloud Platform, see About configuring role-based user access.

For more information on managing app permissions on the Splunk Platform, see Managing app and add-on configurations and properties in the Splunk Enterprise Admin Manual.

Requirements

To manage app permissions for roles using the ACS API:

• You must hold the sc_admin role.
• You must have Splunk Cloud Platform version 8.0.2007 or higher.
• Your Splunk Cloud Platform deployment must be on Victoria Experience. See Determine your Splunk Cloud Platform Experience.
• Your deployment must have one or more separate search heads or a search head cluster. ACS is not supported on single instance deployments.

Manage app permissions using the ACS API

The following instructions show you how to view and configure app permissions for roles using the ACS API.

A role must have app read permissions for a user holding that role to see the app on search heads.

View existing app permissions

To list roles assigned read and write permissions for all apps, send an HTTP GET request to the permissions/apps endpoint. For example:

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps?count={{count}}&offset={{offset}}' \
--header 'Authorization: Bearer eyJraWQi0iJzcGX1...'

By default the list operation returns a maximum count of 30 apps. To change the count, you can specify a count value up to a maximum of 100. A count value of 0 lists all apps. If you have more than 100 apps, you can specify an offset value to list additional apps.

The response lists roles assigned read and write permissions for each app, where "*" refers to all roles available to a user. For example:

{
    "apps": [
        {
            "name": "app1",
            "perms": {
                "read": [
                    "*"
                ],
                "write": [
                    "*"
                ]
            }
        },
        {
            "name": "app2",
            "perms": {
                "read": [
                    "*"
                ],
                "write": [
                    "admin"
                ]
            }
        },
        {
            "name": "app3",
            "perms": {
                "read": [
                    "*"
                ],
                "write": [
                    "admin"
                ]
            }
        }
    ]
}

For endpoint details, see permissions/apps in the ACS endpoint reference.

View app permissions for an individual app

To view roles assigned read and write permissions for an individual app:

Send an HTTP GET request to the permissions/apps/{app-name} endpoint, specifying the name of the app. For example:

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps/{app-name}' \
--header 'Authorization: Bearer eyJraWQi0iJzcGX1...'

The response shows roles assigned read and write permissions for the specific app. For example:

{
    "name": "APP-NAME",
    "perms": {
        "read": [
            "admin",
            "power"
        ],
        "write": [
            "admin"
        ]
    }
}

For endpoint details, see permissions/apps/{app-name} in the ACS endpoint reference.

Configure app permissions for an individual app

To assign app permissions to roles for an individual app:

Send an HTTP PATCH request to the permissions/apps/{app-name} endpoint, specifying the roles to which you want to assign read and write permissions in the request body. For example, to configure an app with read permissions for the admin and power roles and write permissions for the admin role:

curl -X PATCH 'https://admin.splunk.com/{stack}//adminconfig/v2/permissions/apps/{app_name}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}' \
--data '{
    "read": ["admin", "power"],
    "write": ["admin"]
} 
'

By default, ACS app permissions operations apply only to the first search head (sh1) or search head cluster (shc1) in your deployment and are not replicated across the search tier. To run app permissions operations on a different search head, search head cluster, or premium search head, you must target the specific search head in the request URL. See Target a specific search head for ACS operations

The response shows the newly updated roles assigned read and write permissions for the specific app. For example:

{
    "name": "acs_test_app_1",
    "perms": {
        "read": [
            "admin",
            "power"
        ],
        "write": [
            "admin"
        ]
    }
}

For endpoint details, see permissions/apps/{app-name} in the ACS endpoint reference.