<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: PCI application permissions in Security</title>
    <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15198#M389</link>
    <description>&lt;P&gt;Here is what I see in the PCI app as an example.&lt;/P&gt;

&lt;P&gt;In the PCI-Requirement1 folder, there is a default.meta and a local.meta file.&lt;/P&gt;

&lt;P&gt;The default.meta looks like this:&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1]&lt;BR /&gt;
access = read : [ * ], write : [ admin ]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/eventtypes]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/indexes]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/prefs]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/props]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/savedsearches]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/tags]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/transforms&lt;/P&gt;</description>
    <pubDate>Tue, 15 Jun 2010 01:52:13 GMT</pubDate>
    <dc:creator>jambajuice</dc:creator>
    <dc:date>2010-06-15T01:52:13Z</dc:date>
    <item>
      <title>PCI application permissions</title>
      <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15196#M387</link>
      <description>&lt;P&gt;The PCI application searches seem to have the permissions for all of the searches and views set to global.  What config file(s) do I have to modify to restrict them to the PCI app?  Doing it thru the GUI will take &lt;EM&gt;forever&lt;/EM&gt;&lt;/P&gt;

&lt;P&gt;Thx.&lt;/P&gt;</description>
      <pubDate>Thu, 10 Jun 2010 02:34:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15196#M387</guid>
      <dc:creator>jambajuice</dc:creator>
      <dc:date>2010-06-10T02:34:33Z</dc:date>
    </item>
    <item>
      <title>Re: PCI application permissions</title>
      <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15197#M388</link>
      <description>&lt;P&gt;They are in the app's &lt;CODE&gt;metadata\*.meta&lt;/CODE&gt; files.&lt;/P&gt;</description>
      <pubDate>Fri, 11 Jun 2010 04:43:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15197#M388</guid>
      <dc:creator>gkanapathy</dc:creator>
      <dc:date>2010-06-11T04:43:22Z</dc:date>
    </item>
    <item>
      <title>Re: PCI application permissions</title>
      <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15198#M389</link>
      <description>&lt;P&gt;Here is what I see in the PCI app as an example.&lt;/P&gt;

&lt;P&gt;In the PCI-Requirement1 folder, there is a default.meta and a local.meta file.&lt;/P&gt;

&lt;P&gt;The default.meta looks like this:&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1]&lt;BR /&gt;
access = read : [ * ], write : [ admin ]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/eventtypes]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/indexes]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/prefs]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/props]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/savedsearches]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/tags]&lt;BR /&gt;
export = system&lt;/P&gt;

&lt;P&gt;[/nobody/PCI-Requirement1/transforms&lt;/P&gt;</description>
      <pubDate>Tue, 15 Jun 2010 01:52:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15198#M389</guid>
      <dc:creator>jambajuice</dc:creator>
      <dc:date>2010-06-15T01:52:13Z</dc:date>
    </item>
    <item>
      <title>Re: PCI application permissions</title>
      <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15199#M390</link>
      <description>&lt;P&gt;When I modify permissions for some searches in the GUI, the local.meta looks like this:&lt;/P&gt;

&lt;P&gt;[savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router]&lt;BR /&gt;
access = read : [ * ], write : [ admin ]&lt;BR /&gt;
export = none&lt;BR /&gt;
owner = nobody&lt;/P&gt;

&lt;P&gt;[savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router%20-%20Summary%20Gen]&lt;BR /&gt;
access = read : [ * ], write : [ admin ]&lt;BR /&gt;
export = none&lt;BR /&gt;
owner = nobody&lt;/P&gt;

&lt;P&gt;[savedsearches/PCI%201.1.5%20-%20Trend%20Blocked%20Communication%20-%20Summary%20Gen]&lt;BR /&gt;
access = read : [ * ], write : [ admin ]&lt;BR /&gt;
export = none&lt;BR /&gt;
owner = nobody&lt;/P&gt;</description>
      <pubDate>Tue, 15 Jun 2010 01:52:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15199#M390</guid>
      <dc:creator>jambajuice</dc:creator>
      <dc:date>2010-06-15T01:52:43Z</dc:date>
    </item>
    <item>
      <title>Re: PCI application permissions</title>
      <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15200#M391</link>
      <description>&lt;P&gt;The PCI App is broken up into a dozen or so applications and the data is summarized and presented through the PCIComplianceSuite application.  How can I modify the default.meta file to stop all of the searches and views from appearing in every application without breaking the PCIComplianceSuite app?  Otherwise it's going to take a lifetime to do make those changes on a search by search basis.&lt;/P&gt;</description>
      <pubDate>Tue, 15 Jun 2010 01:53:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15200#M391</guid>
      <dc:creator>jambajuice</dc:creator>
      <dc:date>2010-06-15T01:53:05Z</dc:date>
    </item>
    <item>
      <title>Re: PCI application permissions</title>
      <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15201#M392</link>
      <description>&lt;P&gt;It is currently not possible to do that. &lt;/P&gt;

&lt;P&gt;For PCI Suite, all the Apps need to appear at the Global level and changing this will negatively affect the PCIComplianceSuite (which is acting as Master Apps). &lt;/P&gt;

&lt;P&gt;You could set up two different instances (if you are OK with splitting your data) or two different Search Heads (if you want to keep your data centralized) , one for all logs and one for PCI logs. &lt;/P&gt;</description>
      <pubDate>Fri, 25 Jun 2010 07:28:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15201#M392</guid>
      <dc:creator>Lionel</dc:creator>
      <dc:date>2010-06-25T07:28:23Z</dc:date>
    </item>
    <item>
      <title>Re: PCI application permissions</title>
      <link>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15202#M393</link>
      <description>&lt;P&gt;So in the default.meta for one of those apps, is it not possible to change the "export = system" to something like "export = PCIComplianceSuite"?  Is it possible to export the app to anything other than system?&lt;/P&gt;</description>
      <pubDate>Thu, 05 Aug 2010 04:53:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Security/PCI-application-permissions/m-p/15202#M393</guid>
      <dc:creator>jambajuice</dc:creator>
      <dc:date>2010-08-05T04:53:34Z</dc:date>
    </item>
  </channel>
</rss>

