topic Re: Restricting index access from apps in Security

Restricting index access from apps

keerthana_k — Thu, 30 Oct 2014 10:46:52 GMT

Hi,

We have two separate analytic apps running in a single setup. Users should be able to access both the apps and view the dashboards present in them. However, currently it is possible for a user to search for data of an app using the search page of the other app.

For example, if we have two apps A and B using indexes indexA and indexB respectively, users are able to search for data contained in indexB from app A's search page.

We want to restrict this in such a way that a user searching in app A should be allowed access only to indexA and user searching in app B should be allowed to access only indexB.

Is this possible? If so, please let me know how it can be done.

Thanks in advance

Keerthana

Re: Restricting index access from apps

gfuente — Thu, 30 Oct 2014 11:19:02 GMT

Hello

I think this can not be achieved. The restrictions to the data are applied at a role level. If you have access to a index, you can search that index data from any app

Regards

Re: Restricting index access from apps

kml_uvce — Thu, 30 Oct 2014 11:39:15 GMT

Create roles AUser and Buser under Settings->Access controls -> Roles ,give search index IndexA for AUser and IndexB for BUser and assign permissions of app A to role AUser and app B to Buser.
Assign respective users to role AUser and BUser under Settings->Access controls -> Users

Re: Restricting index access from apps

nefeli — Thu, 30 Oct 2014 13:54:32 GMT

As the answer provided by kml_uvce is the best solution in terms of security, I'm thinking in an alternative solution. It's considerably less secure and I wouldn't recommend it, I'm just trying to give you more choices.

If you don't want to force the user to logout and login again in order to change the app, you can mask the real index name with an automatic lookup as explained in http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index.html. As lookups can be isolated to an app, if the user doesn't know the real index name will not be able to search in it out of the app where the lookup is applied. You should also keep the indexes out of "indexes searched by default" in the rol/user config to avoid them appearing in the search statistics.

Re: Restricting index access from apps

bkondakindi — Mon, 28 Sep 2020 18:02:46 GMT

couple of way.

from index side you create a index rectrict
Create a local account on add roles to users

role_mvas_user1]
accelerate_datamodel = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = ;_;_audit;_blocksignature;_internal;_introspection;_thefishbucket;adprod;adtest;aix;akamai;am_prod;am_test;bcoat_logs;citrix_licensing;citrix_licensing_alerts;coheren
ce;collect_brokerage_tid;devops;dpw_prod;dpw_test;f5_prod;f5_test;fe;firedalerts;fireeye;hadoop;history;infra;linux;main;msad;msexchange;network;os;perfmon;rsa_daily_errors;security;service
_prod;service_test;sos;sos_summary_daily;summareakamaivfirst;summary;summary_akamai_vfirst;summary_forwarders;summary_hosts;summary_impersonations;summary_impersonations_test;summary_indexe
rs;summary_network_securesession;summary_pools;summary_rsa;summary_rsa_test;summary_rsa_test2;summary_sources;summary_sourcetypes;test;ud_prod;ud_test;unix;unix_summary;util_prod;util_test;
web;web_prod;web_test;windows;winevents;xenapp;xenapp_alerts;xenapp_perfmon;xenapp_winevents

Re: Restricting index access from apps

kml_uvce — Fri, 31 Oct 2014 01:47:17 GMT

Hi Keerthana

kindly accept my ans. if it solves your problem...