Getting Data In

Restrict REST access to a specific index

rmorlen
Splunk Employee
Splunk Employee

We have defined a role:

[role_rest_role]

importRoles = can_delete;user

rtSrchJobsQuota = 0

srchDiskQuota = 0

srchIndexesAllowed = indexA

srchIndexesDefault = indexA

srchJobsQuota = 0

We have created a local user that has this role. The problem is that doing a search using REST the user has access to index=main. Since this user "can_delete" we really want to restrict their access to a specific index.

Any ideas?

Tags (2)
0 Karma

Ayn
Legend

It inherits the user role - doesn't this role have access to index main? If so, you need to remove this inheritance.

rmorlen
Splunk Employee
Splunk Employee

Yes, this appears to have been the problem.

Thanks.

0 Karma

rmorlen
Splunk Employee
Splunk Employee

I suspected this. Trying this today. I will post a response on the results.

Thanks.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!