Do I get it right that after the successful setup of the Splunk DB Connect every Splunk user can access the configured databases?
This is not acceptable for almost every environment. I wonder how to implement access control at least per external database on a role basis. It would be nice, if Splunk would implement this feature. You should be able to choose the Roles which are allowed to use an external database, don't you think?
Can't you just set the permissions for the DB Connect application itself to only allow certain roles to access it? That's what I do and only the admin role can access the Splunk DB Connect interface, views, commands.
I haven't set up lookups yet but I have set up multiple monitoring inputs that push data to different indexes. Indexes have their own permissions settings.
These seem like obvious settings so I'm concerned that I'm missing something on my end and users can access the databases. Can you tell me specifically how all users access the configured db?
To limit the access for the whole application to certain roles is of course no solution. The entitlement for a specific database is user dependent. I can not name a role with access to all databases. Application wide permissions render the DB Connect useless.
I would like to grant the users e.g. R/O access to "their" databases so they can use "dbquery" and "lookup" within searches.
How many databases do you access? Another solution could be to have multiple versions of the db connect app installed but renamed for their different purposes. Of course this is a bit of a hack, plus it would break any automatic updates.
Not only do we run numerous database but I also want to implement separate entries using different users for the same database. Hereby I could use the database restrictions to adjust the capabilities for my Splunk users. I consider a separate instance for every access profile not even as workaround -- who knows about side effects and the waste of resources caused by this approach.
The DB Connect application is from 2005 and does not support a proper rights management. Do we really talk about an enterprise solution?