Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Users are able to see search results from index that they don't have permission

ps
Explorer
‎10-07-2020 02:48 AM

Hi,

I am using Splunk Enterprise Version:8.0.1

I bunch of indexes and roles for users. I created a role that has only one capability "search" and only permission to one index (included, default).

When I run search command eg. * from Search & Reporting's search I get expected result, only search results from the index that user has permission.

If I run search: index IN("<index_with_permission>" "<index_not_permission_in_role") I get all the results also from the index that user has no permission. Any idea what could be the issue?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2020 03:13 AM

Hi @ps,

inheritance is the only way because you have access to an index not directly grated.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2020 02:54 AM

Hi @ps,

check if you inherited your role from another one (e.g. user), in this case you have all the grants of the other role.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ps
Explorer
‎10-07-2020 02:58 AM

Hi,

Role is newly generated for this test after I noticed this problem, not inherited any permissions and have only "search" capability in capability list.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2020 03:13 AM

Hi @ps,

inheritance is the only way because you have access to an index not directly grated.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ps
Explorer
‎10-07-2020 03:24 AM

Hi,

Thanks for quick answer. I checked user again and you were correct. Splunk default role "user" allows you to search from any index that you don't even have permission. After removing this search results are as expected.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2020 03:53 AM

Hi @ps,

good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...