I have a small all-in-one testing instance of Splunk Enterprise 8.1.3 (noone bothered to update for now ;-))
I wanted to do some testing on the question I posted yesterday - about permissions for datamodels and so on.
Anyway, I created two indexes - dm_test1 and dm_test2. I created two users - test1 and test2. Created a separate role for each user. Each role has only one capability - search. And only one allowed index - dm_test1 for test1 role and dm_test2 for test2 role. There are no inherited capabilities, because I don't inherit from any other roles and the test1 and test2 are the only roles assigned to test1 and test2 users.
So in theory, user test1 should only be able to do searches against test1 index and test2 - against test2.
But it doesn't work. Both users can do searches from any index I have. Even from _internal ones.
How to debug it?
Again - there is no inheritance (at least no explicit one as far as I know about)
These are the roles:
As you can see - native capabilities - 1 each, no inherited capabilities.
The "view indexes" checker shows only one native index per role and no inherited indexes.
The users have only one role each
So what's going on??? 🤔
Just to make sure, the searches returns any results or only returns as succeeded? Because, even without the permissions the user could search on the index but the search will not bring any results.
Yes, I know that even without permissions the searches would complete properly, just not return any events. But it's not that case.
In each index I have 100 manually generated events. Regardless of which index I'm searching from with which user, I can get all those 100 events as a result.
I also get events from other indexes to which either of those test users should not have access at all.