Security

Why am I unable to get to _internal index with a custom role?

Builder

In my authorize.conf, I have the following stanza:

[role_predix-ops-user]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = *_predix_*;_*;last_chance_predix
srchIndexesDefault = *_predix_*
srchMaxTime = 30d
srchJobsQuota = 15
rtSrchJobsQuota = 1

If I grant a user this role, should they not be able to see internal index given `srchIndexesAllowed = *_predix;_;last_chance_predix`

Please advise.

0 Karma

SplunkTrust
SplunkTrust

Hi Brent,

Take a look at the descriptions of these two settings in the docs https://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Authorizeconf.

Are you specifying an index in the search (index=blah | ...)? Your settings show that the indexes to search by default are the predix indexes. It does not include _internal. So you will get that error.

Nadine

0 Karma

Builder

Hey there yes we are specifying the index _internal when we query.

0 Karma