Hello splunkers 🙂
I have a new issue and I'd like to have your opinion on this.
I created a new custom application that in the search I specify two indexes (eg. index=toto or index=titi).
With a usual user, I can access data only for one index but not from the other.
If I promote my user to admin, he can access data through my custom app for both indexes.
My regular user can access data in these two indexes if he uses the standard Splunk search application.
Is there any mechanism that could block the access to some indexes?
Is there any list of commands that only administrator can execute? (Or rather, is it possible that in my search I use such commands that are blocked?)
I verified in the directory of my apps if I had some permission problem to the XML files or other but it is not the case.
I tried to give all the capabilities to my user....always the same problem 😞
Any help is appreciated.
*update 05/12/2017 *: I'd like to thank all you people for your replies. I've just found the problem. My custom application uses extracted fields by another application; But, my users in this role hadn't read permissions on this application so the I had zero results.Once the right permissions given, my users can use properly my custom app.
Thank you once again for your prompt replies 🙂 Have a good day.
thank you in advance,
Michail
Clone the admin
role and remove All non-internal indexes
value from the clone. Assign users to that role instead. Create other roles, one each, for each index and selectively add this role to users that require access to either index value.
When you create new indexes for non-admin use then you need to grant access to those indexes to a user role.
Go to : Settings > Access Controls > Roles
@mvagionakis - is it a clustered environment?
hello ddrillic,
yes it is.