On my SearchHead (ver 7.1.3) , I have created a user role via manually editing the authorize.conf file, which restricts the allowed indexes for this role, and then I rebooted the Splunk service.
I am not able to create a user role and choose Allowed Indexes for this role via SearchHead gui because of SPL-145546.
Below is authorize.conf:
[role_restricted_user]
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
accelerate_search = enabled
pattern_detect = enabled
list_metrics_catalog = enabled
export_results_is_visible = enabled
run_collect = enabled
run_mcollect = enabled
[role_test_network_2]
importRoles = restricted_user
srchIndexesAllowed = test_network
srchIndexesDefaule = test_network
Index "test_network" is configured on the Indexer and has indexed events in it.
However user with role test_network_2 yet still gets search results from on there indexes.
The same picture persists when I create a user role and user with this role on the Indexer.
Am I missing something? Please advise.
Hi @pkarpushin,
You are facing this issue because you are inheriting user
role. By default user
role has srchIndexesAllowed = *
so that's why user with role test_network_2 are able to access other indexes.
Hi @harsmarvania57
Thank you for your answer.
Just after I have posted this question I found out that Allowed Indexes are inherited with the roles.
So I created new role restricted_user with the same as default user except srchIndexesAllowed param (above in updated question).
Unfortunately the issue persists.