Security

Restricting access to an index

rmorlen
Splunk Employee
Splunk Employee

I am trying to restrict access for a specific access. (Splunk 5.05) In the case below I don't want the power users to have access to indexes security1 or security2. This doesn't seem to work.
Any suggestions?

In Authorize.conf:

[role_power]

list_httpauths = enabled

rtsearch = enabled

rtSrchJobsQuota = 5

schedule_search = enabled

srchDiskQuota = 3000

srchIndexesAllowed = *;_*

srchIndexesDefault = *

srchFilter = index!=security1;security2

srchJobsQuota = 30

Tags (2)
0 Karma
1 Solution

rmorlen
Splunk Employee
Splunk Employee

This worked:

srchFilter = index!=security1 index!=security2

View solution in original post

0 Karma

rmorlen
Splunk Employee
Splunk Employee

This worked:

srchFilter = index!=security1 index!=security2

0 Karma

Ayn
Legend

"srchFilter" is a semi-colon delimited list of search filters for a role. In your case you have two search filters: "index!=security" and "security2". These are search terms that will be added to all searches for this role automatically. I suspect you don't want "security2" as a search filter. Perhaps you're looking for something like this?

srchFilter = index!=security1;index!=security2
0 Karma

rmorlen
Splunk Employee
Splunk Employee

Sorry. It didn't work. Users received the message:
"Error in 'search' command: Unable to parse the search: Comparator '!=' has an invalid term on the left hand side."

0 Karma

rmorlen
Splunk Employee
Splunk Employee

Thanks. I will give this a try.

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...