I'm trying to restrict the metadata that is available to users of a particular role. The main reason I'm doing this is because I don't want users to be able to see tons of information about different hosts/sources/sourcetypes that they cannot access while they are in the dashboard, but I do want them to be able to see the information about the hosts/sources/sourcetypes that are available to them. Is there a way to restrict the metadata to just what the user is allowed to access?
Index wise, you should be able to restrict the metadata. I'm not completely sure about your particular application and would like to see the specific role filters.
As far as i know (and the little test that i just concluded) there is no way to tell the role what metadata to show and what not to show.
However, i believe what you are trying to achieve can be done by the following:
This role will have only these capabilities:
This role will not inherit any other capabilities from any other role (ie. remove the user from the selected roles list)
Here is my setup:
Created an index called localping.
used ping localhost > meta.test to get some sample logs.
Created a new role called metadatatest and gave it the above capabilities and made localping the default index as well as the only index that this role can search
Created a user called metauser with the metadatatest role.
Logged in with this user and can only see info from the localping index.
Here is a sample screenshot:
Sources (1) Source | Total Count | Last Updated (desc)
* /Users/gzaimi/meta.test | 1,283
Sourcetypes (1) Sourcetype | Total Count | Last Updated (desc)
* test-too_small | 1,283
Hosts (1) Host | Total Count | Last Updated (desc)
* localhost | 1,283
As you can see i can only see these instead of seeing a lot more data that i can usually see with the admin role.
Hope this helped. .gz
Actually when i tried it with just the index it did not work completely, ie. it did show me the rest of the info which is in the main index. - hence the removing of the user role privileges and creating the role with only the given capabilities.
This is related and should generalize...
I populate sideview pulldowns with a list of HPC clusters, each saved into an index with an hpc_ prefix. The below forms the list of all such indexes, and then subsets it to only those the user's role allows them to search (determined by the role's allowed index list).
| eventcount summarize=false index=hpc_* | where count>0 | map [search index=$index$ | head 1] maxsearches=20 | eval cluster=substr(index,5) | fields cluster
Perhaps you could form lists of hosts/sources/sourcetypes via
|metadata and then subset via
map according to role search filters?
disclaimer: the above is slow with many indexes (no surprise), and splunk5's eventcount appears to only list those indexes permitted by the current role, so map is unnecessary.