Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Access permissions in cisco firewall app

jaygirlardo
New Member
‎11-02-2012 07:43 AM

Hey Splunkers,

I got a question hopefully someone can answer. In my setup I have the cisco security suite and cisco firewalls app installed, as well as the windows app. I am having problems with cisco firewall data showing up in a users overview. The user only has permissions to it's site's index that contains that sites domain controller. The user has inherited roles from the default user but in that role I have deleted having access to main and internal indexes. So the default user has access to no indexes. Then when I created the sites user I gave him access to only the one index. So why is firewall info from other indexes showing up in his firewall app overview?

Any help is appreciated, Thanks!

Tags (1)
0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:39 AM

In Manager??Access controls >> Users...does your user (listed there) have 2 roles in the near right column...e.g. 1 you created / crafted specially AND a default one?
If so, click on them and remove the default grey selected role....

0 Karma
Reply

jaygirlardo
New Member
‎11-02-2012 09:03 AM

Yup, they only have the one role I assigned them. About index independent, what is?

0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:53 AM

...and if it's not that (an over-sight I've made in the past ;-)...then you may need the orig author's 2-penneth.
I did clock in the release notes that (for say ASAs which we use) the update as at Sept 10th indicates 'is now index independent')....hmm.

0 Karma
Reply

jaygirlardo
New Member
‎11-02-2012 08:32 AM

Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any others. But somehow firewall info is viewable from their login.

0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:18 AM

Jaygirlardo,
These plug-ins use the index=firewall...and I guess that is the one you gave them access to?
If a user ran a standard search...and hypothetically a firewall pushed its logs to, say, a syslog server...which has a forwarder on it...then the results may go elsewhere e.g. 'main' which is the default?
How, or at what level did you think you implemented the permission(s)?
User level within Splunk are fairly generic (from Manager tab...but you prob already know that).
Have you implemented any specific transforms?
Br
Dave

0 Karma
Reply

jaygirlardo
New Member
‎11-02-2012 08:34 AM

Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any other window machines. But somehow firewall info is viewable from their login. for some reason I dont think it has to do with permissions. Maybe something the cisco firewall app does by default? I think I have a good idea how the roles and users work, but I could be wrong.

0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:28 AM

Indexes searched by default has to be 'clear all'd...I take it you did that?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...