Hi all, not sure if deployment architecture was the right place to put this question. I need some clarification regarding search restrictions.
Context: The powers that be are looking into roles to enforce data segregation on a single application to serve multiple clients. This is not my area of expertise.
Question:
I'm having trouble figuring out the syntax of 'Search Restrictions' in the roles section of Splunk. For each role, we limit the indexes available to that client through settings->users&authentication->roles -->indexes. For now, included is checked for each index used. There are 6 capabilities inherited from a base class, which I can list if they are relevant to the question.
Through testing, I've narrowed down the problem to the restrictions. Confining the search to the indexes works and we get all the data we need through (though it's not separated by client) When I hit 'search restrictions', I've tried several combinations of syntax to evaluate a field present in the indexes that dictates which client's data we're looking at. Call it client. This is a two digit alphanumeric.
example:
The format in live data: clientArray.CLIENT=6A
in summary data: CLIENT=6A
Looking through the docs, it should work correctly from what I can tell. I add in my field for both like so, using the search filter SPL generator:
(CLIENT::6A) OR (clientArray.CLIENT::6A)
The preview gives me:
index=index1 OR index=index2 OR index=index3 OR index=index4 OR index=index5 | search (CLIENT::6A) OR (clientArray.CLIENT::6A)
This does not allow any data through. If I use the operator CLIENT=6A in a basic search, I'm getting back the data I need. Of course '=' is not allowed in search restrictions. Any ideas on what I'm doing wrong here?
Types of resource restrictions
Resource restrictions are applied in the following order: user, user role, and tenant. For example, restrictions that are set for a user take precedence over restrictions that are set for the user role or tenant that the user is assigned to.
User-based restrictions define limits for an individual user, and they take precedence over role and tenant restrictions.
For example, your organization hires university students to work with the junior analysts in your SOC. The students have the same user role as the other junior analysts, but you apply more restrictive user-based restrictions until the students are properly trained in building QRadar® queries.
Role-based restrictionsRole-based restrictions allow you to define groups of users who require different levels of access to your QRadar deployment. By setting role-based restrictions, you can balance the needs of different types of users.
For example, a junior security analyst might focus on security incidents that happened recently, while a senior security analyst might be more involved in forensic investigations that review data over a longer period of time. By setting role-based restrictions, you can limit a junior analyst to accessing only the last 7 days of data, find dutch ovens for bread-making here, while a senior analyst has access to a much larger time span of data.
Unless I'm mistaken, this is related to another product and not Splunk.