All Apps and Add-ons

How would I restrict all roles except one while still being able to search data from other indexes?

sdkp03
Communicator

I want to restrict all users except for one role from accessing the contents of one index. In doing so I have updated authorize.conf with below settings:

[role_abc]

searchIndexesAllowed = *

srchFilter = (index::abc_confidential)

[role_super_user]

searchIndexesAllowed = *

srchFilter = *

When this change is in place - though the role_super_user is behaving as expected, other roles which have restriction are not able to search any data in splunk. Instead of restricting users belonging to the role from searching for content in specified index, none of the index is searchable. I have tried from UI and CLI, nothing seems to work. Can someone please assist me in restricting all roles except 1 from accessing index=abc_restrcit while still being able to search data from other indexes.

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sdkp03,

you have to define for each role the indexes that each role can access.

Put attention to inheritance, because also indexes access is inherited form another role.

Ciao.

Giuseppe

0 Karma

sdkp03
Communicator

Thanks @gcusello , I have defined same settings for all roles and for the super-user I have defined it as srchFilter = *. As mentioned for the super user things are working as expected. However for all other users instead of restricting users from searching data from index specified in srchFilter, it is restricting searching content from all indexes except for index=_*. I fail to understand. I did execute btool also to ensure that there is no other setting that is overriding such that none of the indexes are searchable for other users, i didnt find anything except for what I specified.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sdkp03,

instaed defining srchFilter=*, did you tried to define (in the indexes tab) the indexes that can be accessed for the other roles?

Ciao.

Giuseppe

0 Karma

sdkp03
Communicator

no we have 53 indexes and around 20+ roles. Is it advised to edit it that way? Is there no simple way of just excluding based on the index name?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sdkp03,

in my experince I found many problems to use search limitations, so I always prefer to use the index limitation.

If you have many roles, you could create a role with all the common specifications and then inherit this role in all the other roles adding the specifications of each of them, but in this way all the roles (without obvioulsy admin) inherit the index limitations from the original one.

Ciao.,

Giuseppe

0 Karma

sdkp03
Communicator

Thanks @gcusello I somehow could achieve the requirement using srchIndexesDisallowed. However new issue that has come up with is there are few users who belong to multiple roles and restriction takes precedence. Is there a way I can prioritise role settings to take priority over the combined role for user with multiple roles.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sdkp03 ,

for my knowledge there isn't any precedence: the higher feature wins and it can be alos a mixture of higher features from multiple roles.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

probably the best way to do this is create a new role(s) which are used for restrict access index by index. Then create associations to users which cannot access this index e.g. in AD or other IDM. Then those users give that restriction to specific(s) index(es) by that additional role mapping. 

If/when you inherit in several level those accesses you almost always get something else what you are expecting. So my suggestion is just create additional role for restrict access and add it somehow (semi)automatic to peoples which shouldn't access that data.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...