Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: PCI application permissions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PCI application permissions
The PCI application searches seem to have the permissions for all of the searches and views set to global. What config file(s) do I have to modify to restrict them to the PCI app? Doing it thru the GUI will take forever
Thx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is currently not possible to do that.
For PCI Suite, all the Apps need to appear at the Global level and changing this will negatively affect the PCIComplianceSuite (which is acting as Master Apps).
You could set up two different instances (if you are OK with splitting your data) or two different Search Heads (if you want to keep your data centralized) , one for all logs and one for PCI logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in the default.meta for one of those apps, is it not possible to change the "export = system" to something like "export = PCIComplianceSuite"? Is it possible to export the app to anything other than system?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They are in the app's metadata\*.meta files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The PCI App is broken up into a dozen or so applications and the data is summarized and presented through the PCIComplianceSuite application. How can I modify the default.meta file to stop all of the searches and views from appearing in every application without breaking the PCIComplianceSuite app? Otherwise it's going to take a lifetime to do make those changes on a search by search basis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I modify permissions for some searches in the GUI, the local.meta looks like this:
[savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router]
access = read : [ * ], write : [ admin ]
export = none
owner = nobody
[savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router%20-%20Summary%20Gen]
access = read : [ * ], write : [ admin ]
export = none
owner = nobody
[savedsearches/PCI%201.1.5%20-%20Trend%20Blocked%20Communication%20-%20Summary%20Gen]
access = read : [ * ], write : [ admin ]
export = none
owner = nobody
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what I see in the PCI app as an example.
In the PCI-Requirement1 folder, there is a default.meta and a local.meta file.
The default.meta looks like this:
[/nobody/PCI-Requirement1]
access = read : [ * ], write : [ admin ]
export = system
[/nobody/PCI-Requirement1/eventtypes]
export = system
[/nobody/PCI-Requirement1/indexes]
export = system
[/nobody/PCI-Requirement1/prefs]
export = system
[/nobody/PCI-Requirement1/props]
export = system
[/nobody/PCI-Requirement1/savedsearches]
export = system
[/nobody/PCI-Requirement1/tags]
export = system
[/nobody/PCI-Requirement1/transforms
Index This | Why did the turkey cross the road?
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Feel the Splunk Love: Real Stories from Real Customers
