Is it possible to limit a role to only have write access to an index?
For example I want a role to be able to do summary indexing via the collect command but I do not want them to have to be able to see what is in the index.
Hi
I don't think that this is possible.
How your role can collect that data to write into index if it cannot read it?
What is your actually issue which you are trying to solve.
r. Ismo
If a role has access to index1, then it can search it and run something and then summary index via the collect command to index2. But I want it so that they can only write to index2 and can't read it.
I’m not sure, but maybe you could try search filter to restrict that read access? I’m not sure if it’s also block the write access too or not?
But you should remember that this role can always generate that data on summary index again from base indexes as long it was on those!
looks like its possible.. test it on test/dev system thoroughly.
https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/Rolesandcapabilities
indexes_edit | Lets the user change any index settings such as file size and memory limits. |
and then, try to restrict that index to that user..