Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it safer to create separate indexes than to add search restrictions ?

Clovisa
Path Finder
‎04-05-2018 06:24 AM

Hi, I am wondering which one is the safest option to restrict access to my data and why.

Let's say that I sell shoes for resellers and for direct customers. I would like that customers could not see the shoes destined to the resellers.

Is it better to :

  • Forward all the shoes in a global "shoes" index and, when I configure the "customer" role, add a search restriction (like "Recipient=customer") or
  • Forward the customer part in a dedicated index and same for the reseller part, and then give access only to the corresponding index to the customer

Thank you !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:53 AM

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

View solution in original post

Reply
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:53 AM

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 06:43 AM

I think its better to create separate indexes instead of search restrictions.

0 Karma
Reply
Solved! Jump to solution

Clovisa
Path Finder
‎04-05-2018 06:46 AM

Is it an intuition or do you have some reasons in mind ?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 06:49 AM

What if in future you have to create or correlate data for creating business reports or dashboard, then again you have to change the search restrictions.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...