How can I restrict user access to write to an index?

Path Finder

Use of the collect command, or enabling summary indexing for a report, this feature allows a user/role to write to any index that can be searched.

Are there any options to restrict a role's access to index such that it is read-only, or alternatively is it possible to remove the collect command and summary indexing features from a role's capabilities?


Re: How can I restrict user access to write to an index?


It appears that there is no way for a user to have read-only access to an index while also allowing said search head to write to the same index. You could potentially work around this if you had one search head for users to perform searches (with read-only for that index enabled) and another search head to perform summary indexing (with read/write allowed to the index).


View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.