We have two separate analytic apps running in a single setup. Users should be able to access both the apps and view the dashboards present in them. However, currently it is possible for a user to search for data of an app using the search page of the other app.
For example, if we have two apps A and B using indexes indexA and indexB respectively, users are able to search for data contained in indexB from app A's search page.
We want to restrict this in such a way that a user searching in app A should be allowed access only to indexA and user searching in app B should be allowed to access only indexB.
Is this possible? If so, please let me know how it can be done.
Thanks in advance
couple of way.
from index side you create a index rectrict
Create a local account on add roles to users
accelerate_datamodel = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = ;_;_audit;_blocksignature;_internal;_introspection;_thefishbucket;adprod;adtest;aix;akamai;am_prod;am_test;bcoat_logs;citrix_licensing;citrix_licensing_alerts;coheren
As the answer provided by kml_uvce is the best solution in terms of security, I'm thinking in an alternative solution. It's considerably less secure and I wouldn't recommend it, I'm just trying to give you more choices.
If you don't want to force the user to logout and login again in order to change the app, you can mask the real index name with an automatic lookup as explained in http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index.ht.... As lookups can be isolated to an app, if the user doesn't know the real index name will not be able to search in it out of the app where the lookup is applied. You should also keep the indexes out of "indexes searched by default" in the rol/user config to avoid them appearing in the search statistics.
Create roles AUser and Buser under Settings->Access controls -> Roles ,give search index IndexA for AUser and IndexB for BUser and assign permissions of app A to role AUser and app B to Buser.
Assign respective users to role AUser and BUser under Settings->Access controls -> Users
I think this can not be achieved. The restrictions to the data are applied at a role level. If you have access to a index, you can search that index data from any app