topic Re: How to lockdown user write access to indexes in Splunk Cloud Platform

How to lockdown user write access to indexes

edgarrity — Tue, 14 Jun 2022 13:50:55 GMT

Our users have discovered that they can add data to indexes. This could lead to a user accidently polluting a production index. I searched the Splunk documentation and the Internet but was unable to find a solution.

Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

Re: How to lockdown user write access to indexes

jamie00171 — Tue, 14 Jun 2022 15:57:33 GMT

hi @edgarrity ,

Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin.

If they are adding files through UI then you could remove the inputs_file capability from the roles.

If they are adding inputs then you could remove the edit_monitor capability.

Thanks,

Jamie

Re: How to lockdown user write access to indexes

jamie00171 — Tue, 14 Jun 2022 15:57:51 GMT

Please see here for list of capabilites: https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Rolesandcapabilities

Re: How to lockdown user write access to indexes

edgarrity — Tue, 14 Jun 2022 16:15:13 GMT

Thanks. Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?

Re: How to lockdown user write access to indexes

jamie00171 — Tue, 14 Jun 2022 21:33:32 GMT

No problem, from my experience (with Splunk enterprise) the changes take place immediately.