Getting Data In

Restrict REST access to a specific index

rmorlen
Splunk Employee
Splunk Employee

We have defined a role:

[role_rest_role]

importRoles = can_delete;user

rtSrchJobsQuota = 0

srchDiskQuota = 0

srchIndexesAllowed = indexA

srchIndexesDefault = indexA

srchJobsQuota = 0

We have created a local user that has this role. The problem is that doing a search using REST the user has access to index=main. Since this user "can_delete" we really want to restrict their access to a specific index.

Any ideas?

Tags (2)
0 Karma

Ayn
Legend

It inherits the user role - doesn't this role have access to index main? If so, you need to remove this inheritance.

rmorlen
Splunk Employee
Splunk Employee

Yes, this appears to have been the problem.

Thanks.

0 Karma

rmorlen
Splunk Employee
Splunk Employee

I suspected this. Trying this today. I will post a response on the results.

Thanks.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...