Getting Data In

How to give a user access "full control" over his forwarder inputs on the configure server, but restrict access to any other forwarders?

demodav
Path Finder

I want the ability to grant a user access to his forwarder inputs on the configure server, so that he can add Windows event Logs, Files & Directories, Windows Performance Monitoring, TCP, UDP, & Scripts to his forwarder. However, I want to limit it where he does not have access to any other of the forwarders. How can I achieve this?

0 Karma

renjith_nair
Legend

If you are talking about the data visibility, then forward the data to different indexes and set the user permission only to his index.
About the forwarders, are you setting up multiple forwarders on same machine? If not, the access restrictions should be at machine level

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

demodav
Path Finder

No, not just visibility, but manageability. Within the Configure server. I want to grant admin privileges to only 1 index. So that the team can manage their own forwarder, but not have access to others on the system.

0 Karma

renjith_nair
Legend

I'm sorry I didn't get that quite clear. If i understand correctly, you have a config server and you have multiple forwarders on that for different teams and you want to separate it so that each team handles their own inputs.
So do you have multiple forwarders on the config server or just one forwarders which forwards data from different inputs?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...