Hi splunkers!
I have a problem regarding TSIDX-Files (acc. datamodels):
when having eg. index1 (production) and index2 (test) - users should have access (grants) to index1 OR index2, but not to both (user1->index1, user2->index2) ... (standard splunk) user roles don't work with tsidx by design, I think ... is there a possibility (or workarounds) to grant access to the specific index for user(role)s when using TSIDX (acceleratored datamodels)?
Greetz, Robert
OK, here it is clue:
I use 2 userroles (rprod, rtest) - inherited from object/role user:
authorize.conf
[role_user]
srchIndexesAllowed =
[role_rprod]
importRoles = user
srchIndexesAllowed = index1
srchIndexesDefault = index1
[role_rtest]
importRoles = user
srchIndexesAllowed = index2
srchIndexesDefault = index2
user1 is member of role rprod / user2 is member of role rtest
by default, the user-role has the property:
[role_user]
srchIndexesAllowed = *
and this caused the problem, because I used searches by sourcetype not by index, to be more flexible in customeres usecases ...
So... the solution was not to inherity user role, right ?
As the tsdix are created inside each index folder, when a user runs a query against data accelerated by tscollect, it will return only logs from those indexes right ?
Not both.
Need just to clarify if your second post was the sollution.