Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

control/limit users to search or view the data stored in specific directories

myli12
Path Finder
‎02-01-2011 12:57 AM

control/limit users to search or view the data stored in specific directories

What I am trying to achieve is

limit "user 1" to search the data stored in "Directory 1" only and "user 2" to view/search "Directory 2" only

What I did is similar to http://answers.splunk.com/questions/6195/is-it-possible-to-use-macros-to-restrict-search-terms

(1) create two new indexes, say I1 & I2 (2) splunk stop; splunk clean eventdata; splunk start; login as admin (3) create two new roles R1 & R2, assign I1 to R1 as the selected search index (the last configuration in the creating a role) and similarly assign I2 to R2. (4) create two new users U1 & U2, assign U1 (U2) as role R1 (U2) (5) manage data inputs --> file & directory --> add directory D1, and set the index I1. Similar handled D2 and I2.

If logged in as U1, index I2 did not show in the summary page. However, I can still put "index=I2" in the search bar to see the data indexed by I2 (essentially the data stored in directory D2). Anyone could help which is the problem?

Tags (1)
0 Karma
Reply

myli12
Path Finder
‎02-02-2011 08:37 PM

I did check authorize.conf which located in "\Splunk\etc\system\local", it reads ""

[role_c5viewer]

importRoles = user

rtSrchJobsQuota = 0

rtsearch = enabled

srchDiskQuota = 0

srchIndexesAllowed = c5only

srchIndexesDefault = c5only

srchJobsQuota = 0

If I logged as one user assigned role "c5viewer," I can only see data indexed by c5only in the search summary page. But I can still retrieve data indexed by r2only (a different index) if putting

index="r2only"

in the search bar. The results come with all the data indexed by "r2only"

Any thoughts what can be the issue?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎02-01-2011 01:09 AM

It sounds like it had you configure the Indexes Searched by Default. If you go into the role config, you should be able to specify Available Search Indexes. Do you see any indexes listed there? You can also look for srchIndexesAllowed in authorize.conf. You may also need to restart splunk (killing all user sessions and re-reading config files) to get it to take effect.

Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...