Index permissions don't seem to work

Ultra Champion

I have a small all-in-one testing instance of Splunk Enterprise 8.1.3 (noone bothered to update for now ;-))

I wanted to do some testing on the question I posted yesterday - about permissions for datamodels and so on.

Anyway, I created two indexes - dm_test1 and dm_test2. I created two users - test1 and test2. Created a separate role for each user. Each role has only one capability - search. And only one allowed index - dm_test1 for test1 role and dm_test2 for test2 role. There are no inherited capabilities, because I don't inherit from any other roles and the test1 and test2 are the only roles assigned to test1 and test2 users.

So in theory, user test1 should only be able to do searches against test1 index and test2 - against test2.

But it doesn't work. Both users can do searches from any index I have. Even from _internal ones.

How to debug it?

Again - there is no inheritance (at least no explicit one as far as I know about)

These are the roles:


As you can see - native capabilities - 1 each, no inherited capabilities.

The "view indexes" checker shows only one native index per role and no inherited indexes.

The users have only one role each


So what's going on??? 🤔

Labels (2)
Tags (1)
0 Karma



Just to make sure, the searches returns any results or only returns as succeeded? Because, even without the permissions the user could search on the index but the search will not bring any results.

0 Karma

Ultra Champion

Yes, I know that even without permissions the searches would complete properly, just not return any events. But it's not that case.

In each index I have 100 manually generated events. Regardless of which index I'm searching from with which user, I can get all those 100 events as a result.

I also get events from other indexes to which either of those test users should not have access at all.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...