- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Restrict Users to Search Specific Indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone could help me please.
I have a number of teams who have Splunk apps which contain the 'search' functionality, with each app allocated it's own role which in turn, we assign to users.
I'm now wanting to allocate the roles to specific indexes for the purpose of increased efficiency and security which I'm comfortable and able to do.
I'm told, that although the 'search' function is a link within the app, I'm not able to restrict the indexes via the role to prevent users being able to search indexes not pertinent to the user.
Could someone please confirm for me whether this is correct or not?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can restrict a role to search only specific indexes
Settings » Access controls » Roles »
Edit the role and you can set which indexes can be accessed by this role by setting the values under
Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.
Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can restrict a role to search only specific indexes
Settings » Access controls » Roles »
Edit the role and you can set which indexes can be accessed by this role by setting the values under
Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.
Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair, thank you for coming back to me with this.
Just to be absolutely sure. If a user uses the search window to type in a 'raw' search they can only do so on the indexes assigned to the role?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Chris,
If an index is assigned to the role under "Selected search indexes", then all the users associated under the role can only access that particular index unless you have another role which has other indexes. If you have more than one role assigned to a user, then it will be a union of all indexes of all roles.
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair.
Many thanks for the confirmation.
Kind Regards
Chris
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
