Solved: Can I reduce my common user role configuration sta...

paimonsoror · ‎10-04-2017

I was wondering if there was a clean way that I could reduce my stanzas in authorize.conf? I was hoping that similar to indexes.conf I could really do some cleanup work by taking something like this:

[role_infomgmtprd_user]
srchIndexesAllowed = app_infomgmtprd
srchIndexesDefault = app_infomgmtprd
importRoles = user
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10
rtsearch = disabled
schedule_rtsearch = disabled

[role_infomgmtprd_power]
srchIndexesAllowed = app_infomgmtprd
srchIndexesDefault = app_infomgmtprd
importRoles = power
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10
rtsearch = disabled
schedule_rtsearch = disabled

[role_owa_power]
srchIndexesAllowed = app_owa
srchIndexesDefault = app_owa
importRoles = power
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10
rtsearch = disabled
schedule_rtsearch = disabled

[role_owa_user]
srchIndexesAllowed = app_owa
srchIndexesDefault = app_owa
importRoles = user
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10
rtsearch = disabled
schedule_rtsearch = disabled

and turning it into something like this:

[role_user]
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10
rtsearch = disabled
schedule_rtsearch = disabled

[role_power]
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10
rtsearch = disabled
schedule_rtsearch = disabled

[role_infomgmtprd_user]
srchIndexesAllowed = app_infomgmtprd
srchIndexesDefault = app_infomgmtprd
importRoles = user

[role_infomgmtprd_power]
srchIndexesAllowed = app_infomgmtprd
srchIndexesDefault = app_infomgmtprd
importRoles = power

[role_owa_power]
srchIndexesAllowed = app_owa
srchIndexesDefault = app_owa
importRoles = power

[role_owa_user]
srchIndexesAllowed = app_owa
srchIndexesDefault = app_owa
importRoles = user

But that didn't seem to work.

harsmarvania57 · ‎10-04-2017

Hi @paimonsoror,

I'll suggest to create 2 new roles similar as user and power role and modify those roles based on your requirement and import those roles in other roles. I am running same kind of configuration and it is working perfectly fine.

Thanks,
Harshil

View solution in original post

harsmarvania57 · ‎10-04-2017

Hi @paimonsoror,

I'll suggest to create 2 new roles similar as user and power role and modify those roles based on your requirement and import those roles in other roles. I am running same kind of configuration and it is working perfectly fine.

Thanks,
Harshil

DalJeanis · ‎10-05-2017

@paimonsoror - we've converted the comment that worked for you into an answer, so you can "accept" it and close the ticket.

paimonsoror · ‎10-06-2017

Fantastic thank you!

paimonsoror · ‎10-05-2017

This was perfect! Thanks. Slight thing i had to do was also add a 'default' stanza for the scheduled_rtsearch stuff (https://answers.splunk.com/answers/244087/how-to-disable-the-schedule-rtsearch-capability.html) and im good to go 🙂

paimonsoror · ‎10-05-2017

Oh thats a great idea! Let me test that out now .

Can I reduce my common user role configuration stanzas?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?