Security
Highlighted

Limit access to specific events in one index

Contributor

Hi,
I have one role which has Restrict search terms as index=abc $table="azuredignostics"
then how this user having this role can access $table="Perf" data. How he can get access to all data from calculated fields
but I am not able to achieve what eval function need to be created.
As I am using OMS add-on so it has 1 source, 1 host and 1 sourcetype so in calculated fields * won't help.

0 Karma
Highlighted

Re: Limit access to specific events in one index

Esteemed Legend

Do not use this feature; it is easy to bypass so paper-thin as to be useless. The only true access-control is denying access to particular index values.

0 Karma
Highlighted

Re: Limit access to specific events in one index

Contributor

yes I can understand that there will be security issue I just wanted to understand How to bypass take access to all data using calculated fields ...as I was trying to create calculated fields to bypass access but unable to do so as I have only 1 host, source and sourcetype.

0 Karma
Highlighted

Re: Limit access to specific events in one index

Esteemed Legend

If the restriction requires a field, then create a calculated field that defines it; if it requires the field not to exist, create a calculated field that sets it to null(). Boom! Bypassed.

0 Karma