Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

srchFilter Role Inheritance: If a user is a member of two roles, how to have the srchFilter apply to indexes of one role, but not the other?

tsunamii
Path Finder
‎05-03-2016 01:03 PM

For example, I have a user (test_user) that is a member of these two roles:

    [role_role_a]
    importRoles = user
    srchIndexesAllowed = _audit;_internal
    srchIndexesDefault = _audit;_internal
    srchMaxTime = 0

    [role_role_b]
    cumulativeRTSrchJobsQuota = 0
    cumulativeSrchJobsQuota = 0
    importRoles = user
    srchDiskQuota = 130
    srchFilter = (ConfigVersionId=86 (Address=*))
    srchIndexesDefault = iselogs
    srchMaxTime = 0

This works well, and when this user runs the search, the srchFilter from role_b appears to work:

litsearch ( index=* ) ( ( ( ConfigVersionId=86 ( Address=* ) ) ) )

However, what I would like is only to have the srchFilter be applied to the indexes of role_b, but not role_a (ie. the filtering should not be applying to both _audit and _internal indexes).

I have tried setting srchFilter = * in role_a:

[role_role_a]
importRoles = user
srchFilter = *
srchIndexesAllowed = _audit;_internal
srchIndexesDefault = _audit;_internal
srchMaxTime = 0

But that seems to override the srchFilter for role_b.

Reply

sowings
Splunk Employee
Splunk Employee
‎05-03-2016 01:33 PM

I'm assuming that you're using an apex role to inherit both role_a and role_b. In this case, you can do a search (as admin) like | rest /services/authorization/roles/role_APEX and look at the imported search filters. If you're not using an apex role, and simply assigning a user both roles simultaneously, I think it's going to be a lot harder to debug. There's not a way that I know of to ask "what would the final filter be?" if you're not using an apex role. You're left trying to intuit what Splunk has implemented on your behalf by testing searches over and over. It may be that one inheritance is actually trumping another, perhaps even down to the name of the role (a coming before b, etc).

I'd approach the problem by setting up an apex role (inheriting from both inferior roles) and then setting an explicit search filter on that role, e.g. (index=_internal OR index=_audit) OR (index=* (ConfigVersionId=86 (Address=*))). It's ugly, but you'd be sure of what the filter is.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...