Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I use authorise.conf centrally to manage user role access to indexes?

pbrinkman
Path Finder
‎06-28-2023 06:06 AM

we have a 6 node SHC

Want to use the deployer to push out authorise.conf so that we can manage the user/role/index access centrally.

Looking for an example of how you control which index is seen by which user/role

For example the role would look like
[mail team]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = mailgatewaylogs;maillogs;emailscanlogs
srchMaxTime = 8640000

How do i specify users to have that have the mail team role ?

user1:mail team
user2:mail team
user3:mail team

Not been able to find any reference or example as to how best to set this configuration centrally.

Thanks in advance

 

0 Karma
Reply

pbrinkman
Path Finder
‎07-03-2023 01:48 AM

glad I asked the question @isoutamo , always wondered what the options were. Have gone down the create an AD account and then go from there, add the capabilities and what index these users can see. 
It was also more around having people in different roles.  Thanks for info

Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2023 09:29 AM

Hi

this was an interesting question. I have never used local users on SHC even its possible.

The best practice is use external user directories to manage users and roles assignments for them. Then you have those role maps on auth*.conf files. Those are easy to push by deployer.

If you want to use local (splunk internal users) on SHC then 1st create roles (I think that those cannot contain space on name?). Push those from deployer as usual. Then use GUI to create users and assign roles to them. 
r. Ismo

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...