Knowledge Management

Experiencing role/index/restriction problem

pbnl
Path Finder

hi all,

i have an app with several dashboards, each displaying data from different indexes.
the users have roles assigned, which allow them to view different dashboards.
the roles allow access to different indexes.
some month ago, i've added a monitor that sends the data to the 'main' index using a datasource. now i'm asked to add a dashboard for this data and allow some users to use it. i've added a role, inherited the company base user role and capabilities, the index 'main' and a restriction to the datasource.
my testuser that only has this role can use the dashboard. BUT: as soon i add this role to other users, they can use this new dashboard, but not the otherones anymore. they simply say 'No results found.'

any ideas?
thanks...

Labels (1)
Tags (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

When you have added a search filter to any role and then you add that role to anyone else which have some other roles splunk merges those role definitions together. And this means that this search filter is added to all users which have this role. For that reason they cannot see anything else than this search filter allow.

My own suggestion is not to use any search filters as those usually generate more issues than solve! Also I try to avoid to use main/default index for anything. It's much easier to forward this kind of events to own index and then restrict access by index not by any search filter.

r. Ismo

View solution in original post

pbnl
Path Finder

nobody any idea here? 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

When you have added a search filter to any role and then you add that role to anyone else which have some other roles splunk merges those role definitions together. And this means that this search filter is added to all users which have this role. For that reason they cannot see anything else than this search filter allow.

My own suggestion is not to use any search filters as those usually generate more issues than solve! Also I try to avoid to use main/default index for anything. It's much easier to forward this kind of events to own index and then restrict access by index not by any search filter.

r. Ismo

pbnl
Path Finder

hi,

this was my fear after i read the comment of richgalloway.
that's completely stupid, but it's like it is.
i'm fiddling already around with reindexing the files to a new index, but for some reason splunk will not do so 😉
there seems to be no way to make splunk forget about an already indexed file and reindex the same file to a new index. besides changing the first line of the file. this is not what i want to do.
maybe i'm going this way

thanks for bringing light in the dark 😉

0 Karma

isoutamo
SplunkTrust
SplunkTrust
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please tell us more about the "restriction to the datasource".  What kind of restriction?  It's possible this restriction is affecting access to other sources so the more you can tell us about the better we can help.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pbnl
Path Finder

the restriction i added when creating the role is:
sourcetype::log4jscan

when i click on 'Preview search filter results' i get:
index=main | search sourcetype::log4jscan

this give me the results i want. but running a search from an other role e.g.
index=msexchange OR index=srv066-vm OR index=srv067-vm OR index=ve2k8clu
doesn't return any results

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...