Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Per-index permissions

Ricapar
Communicator
‎07-25-2013 08:26 AM

This isn't a question on how to set the permissions, but more on why they are the way they are.

Every object in Splunk (saved search, a view xml, an app, etc) has it's own permissions. I can go into the Manager view, find the object, click "Permissions", and check off who can do what with it.

This isn't the case with indexes however.

I'd like some correction if I'm wrong, but my understanding is that if you want to create an index that can only be readable by a certain role, I have to edit the bottom "Indexes" section on the Role's edit page.

This becomes particularly annoying, since if you want to have 10 all-access indexes, but only one that's restricted to a specific group, you have to edit all of the existing roles' index permissions, specifically list all of the existing indexes minus the one restricted one, and then edit the role for the restricted one and add that there.

Is there a technical reason why they were permissioned out this way, instead of how every other object is?

EDIT: I'd also like to add that this permission layout makes it very difficult to audit who has access to what indexes.

Reply

_d_
Splunk Employee
Splunk Employee
‎07-25-2013 09:04 AM

I suppose you can create two new roles - each with their own list of allowed indexes - and then configure your existing roles to inherit from them. Basically you're exploiting the inheritance feature for allowed indexes, as documented here: About Configuring role-based user access

Reply

Ricapar
Communicator
‎07-26-2013 04:41 AM

This is actually what I ended up doing - was just hoping there was a better/more straight-forward way 🙂

Thanks

0 Karma
Reply

linu1988
Champion
‎07-25-2013 08:42 AM

It's the basis of creating roles now in Splunk. I would also like to have an option where we can choose option which index is not accessible.

while index creation it would be hard to maintain which role it belongs to.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...