Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is Index Based RBAC not working?

HaydenMc
New Member
‎08-15-2022 04:44 PM

Hey all,

Working on creating some access control based on indices and running into a weird issue. When I create a custom role and grant this role all capabilities (with no role inheritance) to the specified index, I'm not able to search data inside that index. However if I create said custom role inheriting the user role, but with the exact same capabilities it then it lets me search. 

I've also cloned the user role and appended the index permissions to suit my needs but experiencing the exact same issue, the cloned role has no access to the allowed indices but the second I inherit the user role it seems to work again.

This behaviour is only found on our dedicated search heads. When I enable the web ui and replicate on indexers it works as expected with the custom role searching assigned indices. 

Splunk Enterprise Version: 9.0.0.1

 

Any help would be appreciated!!!

Thanks guys

 

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2022 12:20 AM

Hi @HaydenMc,

are you sure that flagged the "Included" box option for your index in the Role definition page?

gcusello_0-1660634412145.png

Ciao.

Giuseppe

 

0 Karma
Reply

HaydenMc
New Member
‎08-16-2022 04:11 PM

Hi @gcusello,

Thanks for the reply. Yes can confirm the included box has been ticked. Just for testing I've cloned the out of box user role with everything including the accessible indexes and I am experiencing the exact same issue. Any user assigned this cloned role has no access, but any user assigned the user role (the role that I cloned), it works as expected. It's almost like the out of the box user role is somehow different to the cloned role I've created.

 

Thanks

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-17-2022 01:27 PM

Those access issues are quite hard to solve with GUI. I usually use some separate app which can told how splunk has expanded those roles. Here is one which you could install and test in your (test) environment https://splunkbase.splunk.com/app/4111/#/details

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-17-2022 12:15 AM

Hi @HaydenMc,

As I said, I never experienced this behavior and I used this feature many times but never with the last Splunk Version.

I hint to open a ticket to Splunk Support, it could be a bug.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...