I have a following scenario. I have five users say A , B , C, D & E and i have 5 indexes Index1, Index2, Index3, Index4 and Index5. Can I restrict the users in the following way:
User A -> All activities directed to Index1
User B -> All activities directed to Index2
User C -> All activities directed to Index3
User D -> All activities directed to Index4
User E -> All activities directed to Index5
If i create a role and assign index1, will all data be redirected to index1 and similarly for others.
Till now everything should work, but when i try to upload data, i can see all the indexes why?
Please provide your suggestions regarding the scenario.
Yes, you can restrict the user to search for a particular index or sourcetype below is the example stanza in authorize.conf
[role_abc_user]
importRoles = user
srchFilter = NOT (sourcetype = a OR sourcetype = b OR sourcetype = c OR sourcetype = d)
srchIndexesAllowed = abcd
srchIndexesDefault = abcd
srchMaxTime = 0
By Activity, if you mean searching, then yes all User A searches will be redirected, or better terms restricted to Index1 only.
Thanks for the reply.
By Activity i mean both searching and uploading data. Searching is getting redirected to 1 Index only, say User A points to Index1 only.
But only thing is while uploading data Say User A uploads data , i cannot remove the " default index" , there i manually select Index1. So any means to hide the default index.
As far as I know rerouting the data to a specific index just based on user is not possible. The data inputs/uploads are not user specific (you can't set sharing permissions on those), hence they would not have access to User attributes likes which index user has access to.
An interesting related discussion at https://answers.splunk.com/answers/32940/restrict-index-access.html.
For a role, you can assign access to one or more indexes. However, this has nothing to do with where log data FROM a particular user is stored.
The fact that you can see everything is perhaps that you are an administrator, and your role has full access?
/k