Index permissions don't seem to work

Ultra Champion

I have a small all-in-one testing instance of Splunk Enterprise 8.1.3 (noone bothered to update for now ;-))

I wanted to do some testing on the question I posted yesterday - about permissions for datamodels and so on.

Anyway, I created two indexes - dm_test1 and dm_test2. I created two users - test1 and test2. Created a separate role for each user. Each role has only one capability - search. And only one allowed index - dm_test1 for test1 role and dm_test2 for test2 role. There are no inherited capabilities, because I don't inherit from any other roles and the test1 and test2 are the only roles assigned to test1 and test2 users.

So in theory, user test1 should only be able to do searches against test1 index and test2 - against test2.

But it doesn't work. Both users can do searches from any index I have. Even from _internal ones.

How to debug it?

Again - there is no inheritance (at least no explicit one as far as I know about)

These are the roles:


As you can see - native capabilities - 1 each, no inherited capabilities.

The "view indexes" checker shows only one native index per role and no inherited indexes.

The users have only one role each


So what's going on??? 🤔

Labels (2)
Tags (1)
0 Karma



Just to make sure, the searches returns any results or only returns as succeeded? Because, even without the permissions the user could search on the index but the search will not bring any results.

0 Karma

Ultra Champion

Yes, I know that even without permissions the searches would complete properly, just not return any events. But it's not that case.

In each index I have 100 manually generated events. Regardless of which index I'm searching from with which user, I can get all those 100 events as a result.

I also get events from other indexes to which either of those test users should not have access at all.

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...