Archive
Highlighted

BEWARE: srchFilter usage may negate each other in certain situation.

Champion

If you are using deny (NOT) in your srchFilter be aware that inheritance of multiple roles with negative filters will negate each other.

For example:

role1: srchFilter = NOT abc
role2: srchFilter = NOT xyz

inherited/combined:  srchFilter = (NOT abc) OR (NOT xyz)
       outcome = access to all.

Anyone have a workaround for this?

0 Karma
Highlighted

Re: BEWARE: srchFilter usage may negate each other in certain situation.

SplunkTrust
SplunkTrust

This sounds like a case for srchFilterSelecting = false: http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/authorizeconf

Then you'd get a combined filter of (NOT abc) AND (NOT xyz)

View solution in original post

0 Karma