Security

Index permissions don't seem to work

PickleRick
SplunkTrust
SplunkTrust

I have a small all-in-one testing instance of Splunk Enterprise 8.1.3 (noone bothered to update for now ;-))

I wanted to do some testing on the question I posted yesterday - about permissions for datamodels and so on.

Anyway, I created two indexes - dm_test1 and dm_test2. I created two users - test1 and test2. Created a separate role for each user. Each role has only one capability - search. And only one allowed index - dm_test1 for test1 role and dm_test2 for test2 role. There are no inherited capabilities, because I don't inherit from any other roles and the test1 and test2 are the only roles assigned to test1 and test2 users.

So in theory, user test1 should only be able to do searches against test1 index and test2 - against test2.

But it doesn't work. Both users can do searches from any index I have. Even from _internal ones.

How to debug it?

Again - there is no inheritance (at least no explicit one as far as I know about)

These are the roles:

PickleRick_0-1633422545973.png

As you can see - native capabilities - 1 each, no inherited capabilities.

The "view indexes" checker shows only one native index per role and no inherited indexes.

The users have only one role each

PickleRick_1-1633422742342.png

So what's going on??? 🤔

Labels (2)
Tags (1)
0 Karma

danielcj
Communicator

Hello,

Just to make sure, the searches returns any results or only returns as succeeded? Because, even without the permissions the user could search on the index but the search will not bring any results.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yes, I know that even without permissions the searches would complete properly, just not return any events. But it's not that case.

In each index I have 100 manually generated events. Regardless of which index I'm searching from with which user, I can get all those 100 events as a result.

I also get events from other indexes to which either of those test users should not have access at all.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...