Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

control/limit users to search or view the data stored in specific directories

myli12
Path Finder
‎02-01-2011 12:57 AM

control/limit users to search or view the data stored in specific directories

What I am trying to achieve is

limit "user 1" to search the data stored in "Directory 1" only and "user 2" to view/search "Directory 2" only

What I did is similar to http://answers.splunk.com/questions/6195/is-it-possible-to-use-macros-to-restrict-search-terms

(1) create two new indexes, say I1 & I2 (2) splunk stop; splunk clean eventdata; splunk start; login as admin (3) create two new roles R1 & R2, assign I1 to R1 as the selected search index (the last configuration in the creating a role) and similarly assign I2 to R2. (4) create two new users U1 & U2, assign U1 (U2) as role R1 (U2) (5) manage data inputs --> file & directory --> add directory D1, and set the index I1. Similar handled D2 and I2.

If logged in as U1, index I2 did not show in the summary page. However, I can still put "index=I2" in the search bar to see the data indexed by I2 (essentially the data stored in directory D2). Anyone could help which is the problem?

Tags (1)
0 Karma
Reply

myli12
Path Finder
‎02-02-2011 08:37 PM

I did check authorize.conf which located in "\Splunk\etc\system\local", it reads ""

[role_c5viewer]

importRoles = user

rtSrchJobsQuota = 0

rtsearch = enabled

srchDiskQuota = 0

srchIndexesAllowed = c5only

srchIndexesDefault = c5only

srchJobsQuota = 0

If I logged as one user assigned role "c5viewer," I can only see data indexed by c5only in the search summary page. But I can still retrieve data indexed by r2only (a different index) if putting

index="r2only"

in the search bar. The results come with all the data indexed by "r2only"

Any thoughts what can be the issue?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎02-01-2011 01:09 AM

It sounds like it had you configure the Indexes Searched by Default. If you go into the role config, you should be able to specify Available Search Indexes. Do you see any indexes listed there? You can also look for srchIndexesAllowed in authorize.conf. You may also need to restart splunk (killing all user sessions and re-reading config files) to get it to take effect.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...