Index 1, Role 1
Index 2, Role 2
Index 3, Role 3
Now I need a new role which give full access to Index 2, and partial access to Index 1, e.g. just to a certain sourcetype.
How do I achieve this? I tried a srchFilters, but its applied to the complete search.
+ If tomorrow someone orders Role 3 in addition it should give full access to Index 1, 3 and the partial access to 2...
with the new Splunk 8 you can define a role which gives you partial access to an index.
I mean you can build a role which is based on a given index and then restict the access based on fields of your choosing (sourcetype, host, ...)
After going through this previously, I believe the comments by @adonio are valid here!
Because of the way Splunk is designed, at least as of version 7.1.x, the index access controls are per-role, there is no method to control access to part of an index or a particular sourcetype within an index.
The srchFilter option allows you to change a query in the search screen of the user, so for example if the search filter is:
index=X OR (index=Y sourcetype=Z)
Then if the user searches for anything that will be added to the search behind the scenes, there are a few issues with search filters in my opinion:
For those last two points refer to:
How users inherit search filter restrictions
How users inherit search filter restrictions You can create roles that inherit the characteristics of other roles. Users assigned to multiple roles inherit properties from the assigned roles. In the case of search filters, if a user is assigned to roles with different search filters, the filters are all combined and thus the restrictions of each role are applied. For example, by default, the Power and User roles do not have search filters defined to restrict searches. If a user has a combination of these roles and another role with filters defined (for example, srchFilter=x), the user will inherit the restrictions of that role, despite the association with roles that have no filter.
For example if I created a role A, and B, role A has access to index X and "srchFilter=index=x sourcetype=Z", role B has no search filter but has access to index Y, I provide a user roles A & B, I then run a search such as:
litsearch (index=Y test index=X sourcetype=Z)
Therefore the search will not return results!
To summarise if you use search filters, you will have to use them on every role a user might be added to, they can be bypassed (or at least they could in older versions of Splunk), and the configuration will quickly become ugly!
In terms of solutions I cannot offer any easy options here, as per the suggestions either re-thinking the index strategy, relaxing the access to data within the index, or summary indexes are all valid options...
Good luck, please accept the answer or up-vote if it helps as it does take a lot of effort to write posts like this!
i think you are in the right direction using search filters
index = 1 OR (index = 2 sourcetype = foo)
read here more:
hope it helps
thanks for your speedy reply, that would indeed work, but its not feasible for us.
1.) Ownership for Index 1 might be different. So the Owner of Role 4 might not be allowed to grant access to index 1, which he/she would give implicit.
2.) We do not want to modify the Splunk config for every possible combination. So the access to different indexes should still be controlled by different roles. Not my modifying Role 4 all the times.
you can use summary index ...
create a search that capture the pieces of data form index 1 and populates summary index 1.
have your new role see the new summary index and anything else it need to see
whether this approach is good or bad or somewhere in between is for the user to decide. i thought about it plenty, you are not the only one that encountered this challenge.
Doesn't matter if i (or you) like it or not, this is how Splunk handles RBAC and the options i suggested above are the common workarounds...
Another approach you can consider is to "double index" the portion of data you want Role 4 to access, by routing and filtering data. challenge here is that it will cost you double license.
Will be more than happy to see if there are other ideas / solutions / workarounds to your challenge.
all the best