Security
Highlighted

How to restrict index access to a subset of events, while allowing full access to other indexes?

Path Finder

I am interested in allowing a limited number of network users to access specific Windows events. The network users are currently members of a "companyusernetwork" role. I would like to create a second role for the purpose of assigning access to the subset of Windows events.

Role: companywineventsubsetuser
restrict search terms: eventtype=wineventsubset
inherited roles:

indexes searched by default: All non-internal indexes
restrict access to index: wineventlog

Role: companyusernetwork
inherited roles: user
indexes searched by default: firewall, network, vpn, web
restrict access to index: firewall, network, vpn, web

User: usertest
selected roles: **company
usernetwork*, *companywineventsubset_user**

I have attempted using the above configurations. Unfortunately, the "restrict search terms: eventtype=wineventsubset" is being applied to both roles, not just the "companywineventsubsetuser" role. Is this correct? Is there a different way that access can be restricted to a subset of the Windows event logs while still allowing full access to the other indexes listed in the role?

Thank you.

0 Karma
Highlighted

Re: How to restrict index access to a subset of events, while allowing full access to other indexes?

Influencer

Looks like an inheritance issue. Define the new role and select the capabilities for that role manually. 🙂

View solution in original post

0 Karma
Highlighted

Re: How to restrict index access to a subset of events, while allowing full access to other indexes?

Path Finder

I believe that that is what was done.

0 Karma
Highlighted

Re: How to restrict index access to a subset of events, while allowing full access to other indexes?

Influencer

Please choose "Accept Answer" if this was your solution so that your question is marked as resolved.

0 Karma