All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How would I restrict all roles except one while still being able to search data from other indexes?

sdkp03
Communicator
‎05-08-2023 07:19 PM

I want to restrict all users except for one role from accessing the contents of one index. In doing so I have updated authorize.conf with below settings:

[role_abc]

searchIndexesAllowed = *

srchFilter = (index::abc_confidential)

[role_super_user]

searchIndexesAllowed = *

srchFilter = *

When this change is in place - though the role_super_user is behaving as expected, other roles which have restriction are not able to search any data in splunk. Instead of restricting users belonging to the role from searching for content in specified index, none of the index is searchable. I have tried from UI and CLI, nothing seems to work. Can someone please assist me in restricting all roles except 1 from accessing index=abc_restrcit while still being able to search data from other indexes.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2023 11:44 PM

Hi @sdkp03,

you have to define for each role the indexes that each role can access.

Put attention to inheritance, because also indexes access is inherited form another role.

Ciao.

Giuseppe

0 Karma
Reply

sdkp03
Communicator
‎05-09-2023 07:10 PM

Thanks @gcusello , I have defined same settings for all roles and for the super-user I have defined it as srchFilter = *. As mentioned for the super user things are working as expected. However for all other users instead of restricting users from searching data from index specified in srchFilter, it is restricting searching content from all indexes except for index=_*. I fail to understand. I did execute btool also to ensure that there is no other setting that is overriding such that none of the indexes are searchable for other users, i didnt find anything except for what I specified.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-09-2023 11:42 PM

Hi @sdkp03,

instaed defining srchFilter=*, did you tried to define (in the indexes tab) the indexes that can be accessed for the other roles?

Ciao.

Giuseppe

0 Karma
Reply

sdkp03
Communicator
‎05-10-2023 07:40 PM

no we have 53 indexes and around 20+ roles. Is it advised to edit it that way? Is there no simple way of just excluding based on the index name?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-11-2023 12:13 AM

Hi @sdkp03,

in my experince I found many problems to use search limitations, so I always prefer to use the index limitation.

If you have many roles, you could create a role with all the common specifications and then inherit this role in all the other roles adding the specifications of each of them, but in this way all the roles (without obvioulsy admin) inherit the index limitations from the original one.

Ciao.,

Giuseppe

0 Karma
Reply

sdkp03
Communicator
‎05-24-2023 06:57 PM

Thanks @gcusello I somehow could achieve the requirement using srchIndexesDisallowed. However new issue that has come up with is there are few users who belong to multiple roles and restriction takes precedence. Is there a way I can prioritise role settings to take priority over the combined role for user with multiple roles.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-24-2023 08:54 PM

Hi @sdkp03 ,

for my knowledge there isn't any precedence: the higher feature wins and it can be alos a mixture of higher features from multiple roles.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-25-2023 02:31 AM

Hi

probably the best way to do this is create a new role(s) which are used for restrict access index by index. Then create associations to users which cannot access this index e.g. in AD or other IDM. Then those users give that restriction to specific(s) index(es) by that additional role mapping. 

If/when you inherit in several level those accesses you almost always get something else what you are expecting. So my suggestion is just create additional role for restrict access and add it somehow (semi)automatic to peoples which shouldn't access that data.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...