Security

Restrict Users to Search Specific Indexes

IRHM73
Motivator

Hi, I wonder whether someone could help me please.

I have a number of teams who have Splunk apps which contain the 'search' functionality, with each app allocated it's own role which in turn, we assign to users.

I'm now wanting to allocate the roles to specific indexes for the purpose of increased efficiency and security which I'm comfortable and able to do.

I'm told, that although the 'search' function is a link within the app, I'm not able to restrict the indexes via the role to prevent users being able to search indexes not pertinent to the user.

Could someone please confirm for me whether this is correct or not?

Many thanks and kind regards

Chris

0 Karma
1 Solution

renjith_nair
Legend

You can restrict a role to search only specific indexes

Settings  » Access controls » Roles »

Edit the role and you can set which indexes can be accessed by this role by setting the values under

Indexes

Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

You can restrict a role to search only specific indexes

Settings  » Access controls » Roles »

Edit the role and you can set which indexes can be accessed by this role by setting the values under

Indexes

Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

IRHM73
Motivator

Hi @renjith.nair, thank you for coming back to me with this.

Just to be absolutely sure. If a user uses the search window to type in a 'raw' search they can only do so on the indexes assigned to the role?

Many thanks and kind regards

Chris

0 Karma

renjith_nair
Legend

Hello Chris,

If an index is assigned to the role under "Selected search indexes", then all the users associated under the role can only access that particular index unless you have another role which has other indexes. If you have more than one role assigned to a user, then it will be a union of all indexes of all roles.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

IRHM73
Motivator

Hi @renjith.nair.

Many thanks for the confirmation.

Kind Regards

Chris

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...