Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to design/define roles?

chris
Motivator
‎08-07-2012 01:54 AM

Hi

We had a little discussion about splunk architectures and how roles should be designed.
I was wondering if anyone has any hints/best practices to define roles.

My approach so far was to build indexes that are then assigned to roles in authorize.conf using the 'srchIndexesAllowed'. I try not to use the 'srchFilter' parameter if I can avoid it. I think that 'srchFilter' will have performance impacts and I created a mess once using inheritance and different search filters.

Regarding the capabilities I usually derive from the 'user' or 'power' role which are fine for 95% of the roles I have to define.

Feedback is appreciated

Chris

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-07-2012 02:15 AM

I also avoid using the search filter for roles. Once upon a time, it was about the only way to effectively segregate data. Occasionally, it is still useful. Like you, I believe that it adds unnecessary complexity without great benefits.

I like to have two types of roles:

  • roles that grant privileges (power, user, etc) BUT no data access. These roles do not give access to ANY indexes, not even main. Important: inheriting from a role that has index access will also inherit the index access, so be careful with the default roles!
  • roles that grant only basic user privileges AND give access to one or more indexes.

Each user is assigned at least two roles: one for their capabilities and one for their index access.

This lets me keep a very clean set of roles. I got the idea from Gerald, of course; the #1 ranked person on Splunk Answers!

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-07-2012 02:15 AM

I also avoid using the search filter for roles. Once upon a time, it was about the only way to effectively segregate data. Occasionally, it is still useful. Like you, I believe that it adds unnecessary complexity without great benefits.

I like to have two types of roles:

  • roles that grant privileges (power, user, etc) BUT no data access. These roles do not give access to ANY indexes, not even main. Important: inheriting from a role that has index access will also inherit the index access, so be careful with the default roles!
  • roles that grant only basic user privileges AND give access to one or more indexes.

Each user is assigned at least two roles: one for their capabilities and one for their index access.

This lets me keep a very clean set of roles. I got the idea from Gerald, of course; the #1 ranked person on Splunk Answers!

Reply
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...