Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Limit access to index by Role without breaking other roles

cboillot
Contributor
‎12-06-2021 08:30 AM

I have user A that is getting 3 different roles. Normally this isn't an issue, but one of those roles has a restricted search in it that will only show 4 servers in the main index.

2 of the 3 roles just grants access to specific indexes.

The 3rd role grants access to the main index and has the following restriction:

(host::serverA OR host::serverB OR host::serverC OR host::serverD) 

The issue that I am having is that restriction is carrying over to the other roles. 

How would I set this up that only those 4 servers are looked for in main without having those restrictions carry over to the other roles.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 08:52 AM

The search restriction is not carrying over into other roles. The user is a member of a role with a search restriction so It is being applied to that role.  The user's membership in other roles does not negate the restriction.

A solution would be to create a new role for the user that has the permissions he needs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 09:06 AM

That's what I thought at first, but when we have the role with restrictions applied, the user is not seeing data in index A or B, just the 4 servers in main. But if we remove that role, they are able to see the data in index A and B

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 11:17 AM

That makes perfect sense if indexes A and B do not contain data from host IN (serverA serverB serverC serverD).  Once the restriction is removed then the user can see what's in A or B regardless of the host name.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 11:51 AM

Right, how do I let the user search all of Index A & B, and only host 1-4 in main?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 05:14 PM

I'm not sure you can.  The search restrictions will always get in the way of indexes A and B.

If hosts 1-4 require different security then they should be in a different index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...