I have troubles using Splunks role management in combination with search restrictions. My setup is straightforward: A user with two roles, whereby the 1st role is restricting the user on one index.
Now, when this user tries to search on index B, no event are returned?! e.g.:
index="B"
Expected behavior: User should see all events from Index B
Actual behavior: No events are shown
When I remove role A from this user, all events are shown.
When I remove search restriction on Role A everything is shown.
What do I miss in this role management?
I would have expected, that Splunk iterates over all user roles and evaulates them individually.
My conclusions are :
For the permissions that are positives abilities, you get them all
- the index access from all roles are merging, therefore your user can search index A and index B. (you get most of all)
- for the capabilities, you get them all the enabled ones
- for quotas (search, job, memory...), you get the higher of all.
For the permissions that are restrictive, they all apply.
- the search restrictions are both applied, therefore your hidden final restrictions become ( * AND Properties.auth"="5a004" )
To compare, you can run the search, open the job inspector, and look at the normalized search, you will see all the restrictions applied.
litsearch (Properties.auth "=" 5a004) | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
However, it seems that the role "admin" is special and remove restrictions. (keep in mind that splunk-system-role inherits from admin)
see the same search once you inherit from admin:
normalizedSearch
litsearch * | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
My conclusions are :
For the permissions that are positives abilities, you get them all
- the index access from all roles are merging, therefore your user can search index A and index B. (you get most of all)
- for the capabilities, you get them all the enabled ones
- for quotas (search, job, memory...), you get the higher of all.
For the permissions that are restrictive, they all apply.
- the search restrictions are both applied, therefore your hidden final restrictions become ( * AND Properties.auth"="5a004" )
To compare, you can run the search, open the job inspector, and look at the normalized search, you will see all the restrictions applied.
litsearch (Properties.auth "=" 5a004) | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
However, it seems that the role "admin" is special and remove restrictions. (keep in mind that splunk-system-role inherits from admin)
see the same search once you inherit from admin:
normalizedSearch
litsearch * | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
One thing to add: In the absence of reasonable good documentation and lots of tries & errors, when I add the capability: "splunk-system-role" to the Role B, the query works well. Still not a solution, since there is no documentation about this capability either. Pretty strange behavior.
When you run the search, check the Job inspector to see what's the actual (normalized) search being executed. I'm guessing it has "Properties.auth"="5a004"
search restrictions applied to index=B which is resulting in no data.
See this for more details
https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Aboutusersandroles#How_users_inherit_sea...
You are right 🙂 Have not looked into the Job Inspector before, but it showed that the restriction from Role A was applied when searching in index B. However when I add another restriction on Role B, then restriction of Role B is applied when search in index B.
I'm unblocked, you made my day! Cheers, Martin!