Solved: Re: Experiencing role/index/restriction problem

pbnl · ‎04-28-2022

hi all,

i have an app with several dashboards, each displaying data from different indexes.
the users have roles assigned, which allow them to view different dashboards.
the roles allow access to different indexes.
some month ago, i've added a monitor that sends the data to the 'main' index using a datasource. now i'm asked to add a dashboard for this data and allow some users to use it. i've added a role, inherited the company base user role and capabilities, the index 'main' and a restriction to the datasource.
my testuser that only has this role can use the dashboard. BUT: as soon i add this role to other users, they can use this new dashboard, but not the otherones anymore. they simply say 'No results found.'

any ideas?
thanks...

isoutamo · ‎05-02-2022

Hi

When you have added a search filter to any role and then you add that role to anyone else which have some other roles splunk merges those role definitions together. And this means that this search filter is added to all users which have this role. For that reason they cannot see anything else than this search filter allow.

My own suggestion is not to use any search filters as those usually generate more issues than solve! Also I try to avoid to use main/default index for anything. It's much easier to forward this kind of events to own index and then restrict access by index not by any search filter.

r. Ismo

View solution in original post

pbnl · ‎05-02-2022

nobody any idea here?

isoutamo · ‎05-02-2022

Hi

When you have added a search filter to any role and then you add that role to anyone else which have some other roles splunk merges those role definitions together. And this means that this search filter is added to all users which have this role. For that reason they cannot see anything else than this search filter allow.

My own suggestion is not to use any search filters as those usually generate more issues than solve! Also I try to avoid to use main/default index for anything. It's much easier to forward this kind of events to own index and then restrict access by index not by any search filter.

r. Ismo

pbnl · ‎05-03-2022

hi,

this was my fear after i read the comment of richgalloway.
that's completely stupid, but it's like it is.
i'm fiddling already around with reindexing the files to a new index, but for some reason splunk will not do so 😉
there seems to be no way to make splunk forget about an already indexed file and reindex the same file to a new index. besides changing the first line of the file. this is not what i want to do.
maybe i'm going this way

thanks for bringing light in the dark 😉

isoutamo · ‎05-03-2022

You can reindexing files by clearing fish bucket information on source system. See more

Definitely you can find a lot more instructions how to do it if needed.

r. Ismo

richgalloway · ‎04-28-2022

Please tell us more about the "restriction to the datasource". What kind of restriction? It's possible this restriction is affecting access to other sources so the more you can tell us about the better we can help.

---
If this reply helps you, Karma would be appreciated.

pbnl · ‎04-28-2022

the restriction i added when creating the role is:
sourcetype::log4jscan

when i click on 'Preview search filter results' i get:
index=main | search sourcetype::log4jscan

this give me the results i want. but running a search from an other role e.g.
index=msexchange OR index=srv066-vm OR index=srv067-vm OR index=ve2k8clu
doesn't return any results

Experiencing role/index/restriction problem

other

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation