Re: Restrict REST access to a specific index

rmorlen · ‎10-24-2012

We have defined a role:

[role_rest_role]

importRoles = can_delete;user

rtSrchJobsQuota = 0

srchDiskQuota = 0

srchIndexesAllowed = indexA

srchIndexesDefault = indexA

srchJobsQuota = 0

We have created a local user that has this role. The problem is that doing a search using REST the user has access to index=main. Since this user "can_delete" we really want to restrict their access to a specific index.

Any ideas?

Ayn · ‎10-24-2012

It inherits the user role - doesn't this role have access to index main? If so, you need to remove this inheritance.

rmorlen · ‎10-25-2012

Yes, this appears to have been the problem.

Thanks.

rmorlen · ‎10-25-2012

I suspected this. Trying this today. I will post a response on the results.

Thanks.

Restrict REST access to a specific index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation