Security
Highlighted

Permissions and Accelerated Search

Path Finder

I have question concerning Accelerated Search and Data Model Acceleration, but before I ask it let me give you some background on what I plan to do. Currently, I'm trying to scope out what needs to be done when I bring on new clients without having to have multiple environments, dashboards, queries, etc. One thought was that when I bring on a new client, I just create new Indexes with a specific suffix ( such as indexname"Insert Client Name Here" ) and then change my dashboard queries to be index=indexname* thus it will cover all the clients for the specific index type. Last we will just need to set up specific Roles that can only look at specific indexes, thus when let's say CLIENTA run the query index=indexname* they only will receive info from index=indexnameCLIENTA and not index=indexnameOTHER_CLIENTS. This way I can manage many clients with the same queries and not have to worry about making changes to each of their specific dashboards. Then if they want something specific geared only to them, I will create a new dashboard that will only be viewable by the role for their users.

With that in mind, do you think that when I create an accelerated search or a data model that the data in those models will still inherit the permissions I designated for their roles? So keeping with our example, if I have an Accelerated Search with index=indexname* and a user with the CLIENTA role was to use it, they would only receive data for index=indexnameCLIENT_A and still take advantage of the accelerated search's summaries.

0 Karma
Highlighted

Re: Permissions and Accelerated Search

SplunkTrust
SplunkTrust

While I don't know the answer off the top of my head, this should be fairly straightforward to test. Set up two indexes according to your naming scheme along with two roles that can each see only one index. Dump some test data into each index, set up a simple search (index=test_indexes* | stats count by index or whatever) and accelerate that. Then log in with either user and see what's what.

0 Karma
Highlighted

Re: Permissions and Accelerated Search

Path Finder

The permissions to the specific indexes are kept, you just have to ensure that the users permissions enable them to use accelerated searches and data models.

0 Karma