Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it safer to create separate indexes than to add search restrictions ?

Clovisa
Path Finder
‎04-05-2018 06:24 AM

Hi, I am wondering which one is the safest option to restrict access to my data and why.

Let's say that I sell shoes for resellers and for direct customers. I would like that customers could not see the shoes destined to the resellers.

Is it better to :

  • Forward all the shoes in a global "shoes" index and, when I configure the "customer" role, add a search restriction (like "Recipient=customer") or
  • Forward the customer part in a dedicated index and same for the reseller part, and then give access only to the corresponding index to the customer

Thank you !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:53 AM

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

View solution in original post

Reply
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:53 AM

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 06:43 AM

I think its better to create separate indexes instead of search restrictions.

0 Karma
Reply
Solved! Jump to solution

Clovisa
Path Finder
‎04-05-2018 06:46 AM

Is it an intuition or do you have some reasons in mind ?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 06:49 AM

What if in future you have to create or correlate data for creating business reports or dashboard, then again you have to change the search restrictions.

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...