Security

Restrict Users to Search Specific Indexes

IRHM73
Motivator

Hi, I wonder whether someone could help me please.

I have a number of teams who have Splunk apps which contain the 'search' functionality, with each app allocated it's own role which in turn, we assign to users.

I'm now wanting to allocate the roles to specific indexes for the purpose of increased efficiency and security which I'm comfortable and able to do.

I'm told, that although the 'search' function is a link within the app, I'm not able to restrict the indexes via the role to prevent users being able to search indexes not pertinent to the user.

Could someone please confirm for me whether this is correct or not?

Many thanks and kind regards

Chris

0 Karma
1 Solution

renjith_nair
Legend

You can restrict a role to search only specific indexes

Settings  » Access controls » Roles »

Edit the role and you can set which indexes can be accessed by this role by setting the values under

Indexes

Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

You can restrict a role to search only specific indexes

Settings  » Access controls » Roles »

Edit the role and you can set which indexes can be accessed by this role by setting the values under

Indexes

Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

IRHM73
Motivator

Hi @renjith.nair, thank you for coming back to me with this.

Just to be absolutely sure. If a user uses the search window to type in a 'raw' search they can only do so on the indexes assigned to the role?

Many thanks and kind regards

Chris

0 Karma

renjith_nair
Legend

Hello Chris,

If an index is assigned to the role under "Selected search indexes", then all the users associated under the role can only access that particular index unless you have another role which has other indexes. If you have more than one role assigned to a user, then it will be a union of all indexes of all roles.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

IRHM73
Motivator

Hi @renjith.nair.

Many thanks for the confirmation.

Kind Regards

Chris

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...