Index permissions don't seem to work

Ultra Champion

I have a small all-in-one testing instance of Splunk Enterprise 8.1.3 (noone bothered to update for now ;-))

I wanted to do some testing on the question I posted yesterday - about permissions for datamodels and so on.

Anyway, I created two indexes - dm_test1 and dm_test2. I created two users - test1 and test2. Created a separate role for each user. Each role has only one capability - search. And only one allowed index - dm_test1 for test1 role and dm_test2 for test2 role. There are no inherited capabilities, because I don't inherit from any other roles and the test1 and test2 are the only roles assigned to test1 and test2 users.

So in theory, user test1 should only be able to do searches against test1 index and test2 - against test2.

But it doesn't work. Both users can do searches from any index I have. Even from _internal ones.

How to debug it?

Again - there is no inheritance (at least no explicit one as far as I know about)

These are the roles:


As you can see - native capabilities - 1 each, no inherited capabilities.

The "view indexes" checker shows only one native index per role and no inherited indexes.

The users have only one role each


So what's going on??? 🤔

Labels (2)
Tags (1)
0 Karma



Just to make sure, the searches returns any results or only returns as succeeded? Because, even without the permissions the user could search on the index but the search will not bring any results.

0 Karma

Ultra Champion

Yes, I know that even without permissions the searches would complete properly, just not return any events. But it's not that case.

In each index I have 100 manually generated events. Regardless of which index I'm searching from with which user, I can get all those 100 events as a result.

I also get events from other indexes to which either of those test users should not have access at all.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...