Can a role only have write access to an index?

klim · ‎03-30-2023

Is it possible to limit a role to only have write access to an index?

For example I want a role to be able to do summary indexing via the collect command but I do not want them to have to be able to see what is in the index.

isoutamo · ‎03-31-2023

Hi

I don't think that this is possible.

How your role can collect that data to write into index if it cannot read it?

What is your actually issue which you are trying to solve.

r. Ismo

klim · ‎03-31-2023

If a role has access to index1, then it can search it and run something and then summary index via the collect command to index2. But I want it so that they can only write to index2 and can't read it.

isoutamo · ‎04-01-2023

I’m not sure, but maybe you could try search filter to restrict that read access? I’m not sure if it’s also block the write access too or not?

But you should remember that this role can always generate that data on summary index again from base indexes as long it was on those!

inventsekar · ‎03-30-2023

looks like its possible.. test it on test/dev system thoroughly.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/Rolesandcapabilities

indexes_edit

Lets the user change any index settings such as file size and memory limits.

and then, try to restrict that index to that user..

https://community.splunk.com/t5/All-Apps-and-Add-ons/RBAC-with-indexes/td-p/401763?_ga=2.172840355.1...

Can a role only have write access to an index?

permissions

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio