Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it safer to create separate indexes than to add search restrictions ?

Clovisa
Path Finder
‎04-05-2018 06:24 AM

Hi, I am wondering which one is the safest option to restrict access to my data and why.

Let's say that I sell shoes for resellers and for direct customers. I would like that customers could not see the shoes destined to the resellers.

Is it better to :

  • Forward all the shoes in a global "shoes" index and, when I configure the "customer" role, add a search restriction (like "Recipient=customer") or
  • Forward the customer part in a dedicated index and same for the reseller part, and then give access only to the corresponding index to the customer

Thank you !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:53 AM

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

View solution in original post

Reply
Solved! Jump to solution
Solution

robgora_deloitt
Path Finder
‎04-05-2018 06:53 AM

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 06:43 AM

I think its better to create separate indexes instead of search restrictions.

0 Karma
Reply
Solved! Jump to solution

Clovisa
Path Finder
‎04-05-2018 06:46 AM

Is it an intuition or do you have some reasons in mind ?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-05-2018 06:49 AM

What if in future you have to create or correlate data for creating business reports or dashboard, then again you have to change the search restrictions.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...