Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Limit access to index by Role without breaking other roles

cboillot
Contributor
‎12-06-2021 08:30 AM

I have user A that is getting 3 different roles. Normally this isn't an issue, but one of those roles has a restricted search in it that will only show 4 servers in the main index.

2 of the 3 roles just grants access to specific indexes.

The 3rd role grants access to the main index and has the following restriction:

(host::serverA OR host::serverB OR host::serverC OR host::serverD) 

The issue that I am having is that restriction is carrying over to the other roles. 

How would I set this up that only those 4 servers are looked for in main without having those restrictions carry over to the other roles.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 08:52 AM

The search restriction is not carrying over into other roles. The user is a member of a role with a search restriction so It is being applied to that role.  The user's membership in other roles does not negate the restriction.

A solution would be to create a new role for the user that has the permissions he needs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 09:06 AM

That's what I thought at first, but when we have the role with restrictions applied, the user is not seeing data in index A or B, just the 4 servers in main. But if we remove that role, they are able to see the data in index A and B

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 11:17 AM

That makes perfect sense if indexes A and B do not contain data from host IN (serverA serverB serverC serverD).  Once the restriction is removed then the user can see what's in A or B regardless of the host name.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 11:51 AM

Right, how do I let the user search all of Index A & B, and only host 1-4 in main?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 05:14 PM

I'm not sure you can.  The search restrictions will always get in the way of indexes A and B.

If hosts 1-4 require different security then they should be in a different index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...