Knowledge Management

datamodel acceleration (TSIDX) & user grants on index

Communicator

Hi splunkers!

I have a problem regarding TSIDX-Files (acc. datamodels):

when having eg. index1 (production) and index2 (test) - users should have access (grants) to index1 OR index2, but not to both (user1->index1, user2->index2) ... (standard splunk) user roles don't work with tsidx by design, I think ... is there a possibility (or workarounds) to grant access to the specific index for user(role)s when using TSIDX (acceleratored datamodels)?

Greetz, Robert

Communicator

OK, here it is clue:

I use 2 userroles (rprod, rtest) - inherited from object/role user:

authorize.conf

[role_user]
srchIndexesAllowed = 

[role_rprod]
importRoles = user
srchIndexesAllowed = index1
srchIndexesDefault = index1

[role_rtest]
importRoles = user
srchIndexesAllowed = index2
srchIndexesDefault = index2

user1 is member of role rprod / user2 is member of role rtest

by default, the user-role has the property:

[role_user]
srchIndexesAllowed = *

and this caused the problem, because I used searches by sourcetype not by index, to be more flexible in customeres usecases ...

0 Karma

Path Finder

So... the solution was not to inherity user role, right ?

As the tsdix are created inside each index folder, when a user runs a query against data accelerated by tscollect, it will return only logs from those indexes right ?

Not both.
Need just to clarify if your second post was the sollution.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!