topic Re: Permissions on indexes and sourcetypes in Getting Data In

Permissions on indexes and sourcetypes

Ant1D — Thu, 13 Jan 2011 01:40:41 GMT

Hey,

I know that you can set read/write permissions on views.

Is it possible to set read permissions on indexes and sourcetypes?

I ask this because it might be good to just prevent certain Splunk users from being able to read data from a particular index. It may be easier to have this functionality instead of turning off read/write access to every view that uses an index/sourcetype that you do not want certain users to have access to.

Thanks in advance for your help.

Re: Permissions on indexes and sourcetypes

ziegfried — Thu, 13 Jan 2011 02:05:45 GMT

Yes, it's possible to restrict access to an index for a role. You can select the visible indexes for every role at Manager » Access controls » Roles » your role under Indexes. You can specify the default indexes (those are searches when no explicit index is specified in the search).

Restricting access to a sourcetype is more compliated. It can only be done by defining Search restrictions for a role, such as

NOT sourcetype=mysourcetype

Re: Permissions on indexes and sourcetypes

Genti — Thu, 13 Jan 2011 02:09:41 GMT

This is already in place.
If you would like users to only access part of the data, then you make sure that you split the data in different indexes. Then, you assign the "default indexes" and "indexes" to specific roles.

You need to go to Manager » Access controls » Roles » user and give specific permissions to the role.
Default indexes = what a default search will look at.
Indexes = what a user can actually specify in the search, for example, "index=abcd"

Default indexes
Set the index(es) that searches default to when no index is specified. User with this role can search other indexes using index= (e.g., "index=special_index").


Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Re: Permissions on indexes and sourcetypes

Ant1D — Thu, 13 Jan 2011 20:09:34 GMT

This is useful to know as I might restrict some users access to certain sourcetypes in my Splunk instance. Thanks again.

Re: Permissions on indexes and sourcetypes

Ant1D — Thu, 13 Jan 2011 20:12:32 GMT

Thanks for the info Genti. If both answers could be ticked I would have done that. Maybe that's an idea for an updated version of Splunk Answers.

Re: Permissions on indexes and sourcetypes

w531t4 — Tue, 25 Mar 2014 17:44:05 GMT

The OP mentioned that he had concerns about users writing to indexes as well (i'm guessing a good example would be a user running |collect)... Does anyone know how to protect from users writing to indexes?

Re: Permissions on indexes and sourcetypes

mcronkrite — Wed, 30 Dec 2015 15:25:38 GMT

Yes, you retrict the acl on the indexers inputs.conf

acceptFrom = ...
* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces

Inputs Conf Spec

Re: Permissions on indexes and sourcetypes

dfrankekcg — Wed, 26 Oct 2016 13:46:49 GMT

Note: you need to prevent the role from inheriting from the User role. Inheriting from the User role gives the new role access to all non internal indexes by default.