Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How come after allowed Indexes are restricted in authorize.conf, affected users are still able to search anywhere?

pkarpushin
Path Finder
‎10-09-2018 02:11 AM

On my SearchHead (ver 7.1.3) , I have created a user role via manually editing the authorize.conf file, which restricts the allowed indexes for this role, and then I rebooted the Splunk service.

I am not able to create a user role and choose Allowed Indexes for this role via SearchHead gui because of SPL-145546.
Below is authorize.conf:

[role_restricted_user]
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
accelerate_search = enabled
pattern_detect = enabled
list_metrics_catalog = enabled
export_results_is_visible = enabled
run_collect = enabled
run_mcollect = enabled
[role_test_network_2]
importRoles = restricted_user
srchIndexesAllowed = test_network
srchIndexesDefaule = test_network

Index "test_network" is configured on the Indexer and has indexed events in it.
However user with role test_network_2 yet still gets search results from on there indexes.

The same picture persists when I create a user role and user with this role on the Indexer.

Am I missing something? Please advise.

Tags (1)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-09-2018 08:49 AM

Hi @pkarpushin,

You are facing this issue because you are inheriting user role. By default user role has srchIndexesAllowed = * so that's why user with role test_network_2 are able to access other indexes.

0 Karma
Reply

pkarpushin
Path Finder
‎10-09-2018 01:50 PM

Hi @harsmarvania57
Thank you for your answer.
Just after I have posted this question I found out that Allowed Indexes are inherited with the roles.
So I created new role restricted_user with the same as default user except srchIndexesAllowed param (above in updated question).
Unfortunately the issue persists.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...