Security

How come after allowed Indexes are restricted in authorize.conf, affected users are still able to search anywhere?

pkarpushin
Path Finder

On my SearchHead (ver 7.1.3) , I have created a user role via manually editing the authorize.conf file, which restricts the allowed indexes for this role, and then I rebooted the Splunk service.

I am not able to create a user role and choose Allowed Indexes for this role via SearchHead gui because of SPL-145546.
Below is authorize.conf:

[role_restricted_user]
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
accelerate_search = enabled
pattern_detect = enabled
list_metrics_catalog = enabled
export_results_is_visible = enabled
run_collect = enabled
run_mcollect = enabled
[role_test_network_2]
importRoles = restricted_user
srchIndexesAllowed = test_network
srchIndexesDefaule = test_network

Index "test_network" is configured on the Indexer and has indexed events in it.
However user with role test_network_2 yet still gets search results from on there indexes.

The same picture persists when I create a user role and user with this role on the Indexer.

Am I missing something? Please advise.

Tags (1)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @pkarpushin,

You are facing this issue because you are inheriting user role. By default user role has srchIndexesAllowed = * so that's why user with role test_network_2 are able to access other indexes.

0 Karma

pkarpushin
Path Finder

Hi @harsmarvania57
Thank you for your answer.
Just after I have posted this question I found out that Allowed Indexes are inherited with the roles.
So I created new role restricted_user with the same as default user except srchIndexesAllowed param (above in updated question).
Unfortunately the issue persists.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!