Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Per-index permissions

Ricapar
Communicator
‎07-25-2013 08:26 AM

This isn't a question on how to set the permissions, but more on why they are the way they are.

Every object in Splunk (saved search, a view xml, an app, etc) has it's own permissions. I can go into the Manager view, find the object, click "Permissions", and check off who can do what with it.

This isn't the case with indexes however.

I'd like some correction if I'm wrong, but my understanding is that if you want to create an index that can only be readable by a certain role, I have to edit the bottom "Indexes" section on the Role's edit page.

This becomes particularly annoying, since if you want to have 10 all-access indexes, but only one that's restricted to a specific group, you have to edit all of the existing roles' index permissions, specifically list all of the existing indexes minus the one restricted one, and then edit the role for the restricted one and add that there.

Is there a technical reason why they were permissioned out this way, instead of how every other object is?

EDIT: I'd also like to add that this permission layout makes it very difficult to audit who has access to what indexes.

Reply

_d_
Splunk Employee
Splunk Employee
‎07-25-2013 09:04 AM

I suppose you can create two new roles - each with their own list of allowed indexes - and then configure your existing roles to inherit from them. Basically you're exploiting the inheritance feature for allowed indexes, as documented here: About Configuring role-based user access

Reply

Ricapar
Communicator
‎07-26-2013 04:41 AM

This is actually what I ended up doing - was just hoping there was a better/more straight-forward way 🙂

Thanks

0 Karma
Reply

linu1988
Champion
‎07-25-2013 08:42 AM

It's the basis of creating roles now in Splunk. I would also like to have an option where we can choose option which index is not accessible.

while index creation it would be hard to maintain which role it belongs to.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...