Security

Per-index permissions

Communicator

This isn't a question on how to set the permissions, but more on why they are the way they are.

Every object in Splunk (saved search, a view xml, an app, etc) has it's own permissions. I can go into the Manager view, find the object, click "Permissions", and check off who can do what with it.

This isn't the case with indexes however.

I'd like some correction if I'm wrong, but my understanding is that if you want to create an index that can only be readable by a certain role, I have to edit the bottom "Indexes" section on the Role's edit page.

This becomes particularly annoying, since if you want to have 10 all-access indexes, but only one that's restricted to a specific group, you have to edit all of the existing roles' index permissions, specifically list all of the existing indexes minus the one restricted one, and then edit the role for the restricted one and add that there.

Is there a technical reason why they were permissioned out this way, instead of how every other object is?

EDIT: I'd also like to add that this permission layout makes it very difficult to audit who has access to what indexes.

Splunk Employee
Splunk Employee

I suppose you can create two new roles - each with their own list of allowed indexes - and then configure your existing roles to inherit from them. Basically you're exploiting the inheritance feature for allowed indexes, as documented here: About Configuring role-based user access

Communicator

This is actually what I ended up doing - was just hoping there was a better/more straight-forward way 🙂

Thanks

0 Karma

Champion

It's the basis of creating roles now in Splunk. I would also like to have an option where we can choose option which index is not accessible.

while index creation it would be hard to maintain which role it belongs to.

0 Karma