Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Per-index permissions

Ricapar
Communicator
‎07-25-2013 08:26 AM

This isn't a question on how to set the permissions, but more on why they are the way they are.

Every object in Splunk (saved search, a view xml, an app, etc) has it's own permissions. I can go into the Manager view, find the object, click "Permissions", and check off who can do what with it.

This isn't the case with indexes however.

I'd like some correction if I'm wrong, but my understanding is that if you want to create an index that can only be readable by a certain role, I have to edit the bottom "Indexes" section on the Role's edit page.

This becomes particularly annoying, since if you want to have 10 all-access indexes, but only one that's restricted to a specific group, you have to edit all of the existing roles' index permissions, specifically list all of the existing indexes minus the one restricted one, and then edit the role for the restricted one and add that there.

Is there a technical reason why they were permissioned out this way, instead of how every other object is?

EDIT: I'd also like to add that this permission layout makes it very difficult to audit who has access to what indexes.

Reply

_d_
Splunk Employee
Splunk Employee
‎07-25-2013 09:04 AM

I suppose you can create two new roles - each with their own list of allowed indexes - and then configure your existing roles to inherit from them. Basically you're exploiting the inheritance feature for allowed indexes, as documented here: About Configuring role-based user access

Reply

Ricapar
Communicator
‎07-26-2013 04:41 AM

This is actually what I ended up doing - was just hoping there was a better/more straight-forward way 🙂

Thanks

0 Karma
Reply

linu1988
Champion
‎07-25-2013 08:42 AM

It's the basis of creating roles now in Splunk. I would also like to have an option where we can choose option which index is not accessible.

while index creation it would be hard to maintain which role it belongs to.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...
Top