Security

srchFilter Role Inheritance: If a user is a member of two roles, how to have the srchFilter apply to indexes of one role, but not the other?

tsunamii
Path Finder

For example, I have a user (test_user) that is a member of these two roles:

    [role_role_a]
    importRoles = user
    srchIndexesAllowed = _audit;_internal
    srchIndexesDefault = _audit;_internal
    srchMaxTime = 0

    [role_role_b]
    cumulativeRTSrchJobsQuota = 0
    cumulativeSrchJobsQuota = 0
    importRoles = user
    srchDiskQuota = 130
    srchFilter = (ConfigVersionId=86 (Address=*))
    srchIndexesDefault = iselogs
    srchMaxTime = 0

This works well, and when this user runs the search, the srchFilter from role_b appears to work:

litsearch ( index=* ) ( ( ( ConfigVersionId=86 ( Address=* ) ) ) )

However, what I would like is only to have the srchFilter be applied to the indexes of role_b, but not role_a (ie. the filtering should not be applying to both _audit and _internal indexes).

I have tried setting srchFilter = * in role_a:

[role_role_a]
importRoles = user
srchFilter = *
srchIndexesAllowed = _audit;_internal
srchIndexesDefault = _audit;_internal
srchMaxTime = 0

But that seems to override the srchFilter for role_b.

sowings
Splunk Employee
Splunk Employee

I'm assuming that you're using an apex role to inherit both role_a and role_b. In this case, you can do a search (as admin) like | rest /services/authorization/roles/role_APEX and look at the imported search filters. If you're not using an apex role, and simply assigning a user both roles simultaneously, I think it's going to be a lot harder to debug. There's not a way that I know of to ask "what would the final filter be?" if you're not using an apex role. You're left trying to intuit what Splunk has implemented on your behalf by testing searches over and over. It may be that one inheritance is actually trumping another, perhaps even down to the name of the role (a coming before b, etc).

I'd approach the problem by setting up an apex role (inheriting from both inferior roles) and then setting an explicit search filter on that role, e.g. (index=_internal OR index=_audit) OR (index=* (ConfigVersionId=86 (Address=*))). It's ugly, but you'd be sure of what the filter is.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...