Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Limit access to index by Role without breaking other roles

cboillot
Contributor
‎12-06-2021 08:30 AM

I have user A that is getting 3 different roles. Normally this isn't an issue, but one of those roles has a restricted search in it that will only show 4 servers in the main index.

2 of the 3 roles just grants access to specific indexes.

The 3rd role grants access to the main index and has the following restriction:

(host::serverA OR host::serverB OR host::serverC OR host::serverD) 

The issue that I am having is that restriction is carrying over to the other roles. 

How would I set this up that only those 4 servers are looked for in main without having those restrictions carry over to the other roles.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 08:52 AM

The search restriction is not carrying over into other roles. The user is a member of a role with a search restriction so It is being applied to that role.  The user's membership in other roles does not negate the restriction.

A solution would be to create a new role for the user that has the permissions he needs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 09:06 AM

That's what I thought at first, but when we have the role with restrictions applied, the user is not seeing data in index A or B, just the 4 servers in main. But if we remove that role, they are able to see the data in index A and B

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 11:17 AM

That makes perfect sense if indexes A and B do not contain data from host IN (serverA serverB serverC serverD).  Once the restriction is removed then the user can see what's in A or B regardless of the host name.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 11:51 AM

Right, how do I let the user search all of Index A & B, and only host 1-4 in main?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 05:14 PM

I'm not sure you can.  The search restrictions will always get in the way of indexes A and B.

If hosts 1-4 require different security then they should be in a different index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...