Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is Index Based RBAC not working?

HaydenMc
New Member
‎08-15-2022 04:44 PM

Hey all,

Working on creating some access control based on indices and running into a weird issue. When I create a custom role and grant this role all capabilities (with no role inheritance) to the specified index, I'm not able to search data inside that index. However if I create said custom role inheriting the user role, but with the exact same capabilities it then it lets me search. 

I've also cloned the user role and appended the index permissions to suit my needs but experiencing the exact same issue, the cloned role has no access to the allowed indices but the second I inherit the user role it seems to work again.

This behaviour is only found on our dedicated search heads. When I enable the web ui and replicate on indexers it works as expected with the custom role searching assigned indices. 

Splunk Enterprise Version: 9.0.0.1

 

Any help would be appreciated!!!

Thanks guys

 

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 12:20 AM

Hi @HaydenMc,

are you sure that flagged the "Included" box option for your index in the Role definition page?

gcusello_0-1660634412145.png

Ciao.

Giuseppe

 

0 Karma
Reply

HaydenMc
New Member
‎08-16-2022 04:11 PM

Hi @gcusello,

Thanks for the reply. Yes can confirm the included box has been ticked. Just for testing I've cloned the out of box user role with everything including the accessible indexes and I am experiencing the exact same issue. Any user assigned this cloned role has no access, but any user assigned the user role (the role that I cloned), it works as expected. It's almost like the out of the box user role is somehow different to the cloned role I've created.

 

Thanks

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-17-2022 01:27 PM

Those access issues are quite hard to solve with GUI. I usually use some separate app which can told how splunk has expanded those roles. Here is one which you could install and test in your (test) environment https://splunkbase.splunk.com/app/4111/#/details

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-17-2022 12:15 AM

Hi @HaydenMc,

As I said, I never experienced this behavior and I used this feature many times but never with the last Splunk Version.

I hint to open a ticket to Splunk Support, it could be a bug.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...