Security
Highlighted

srchFilter Role Inheritance: If a user is a member of two roles, how to have the srchFilter apply to indexes of one role, but not the other?

Path Finder

For example, I have a user (test_user) that is a member of these two roles:

    [role_role_a]
    importRoles = user
    srchIndexesAllowed = _audit;_internal
    srchIndexesDefault = _audit;_internal
    srchMaxTime = 0

    [role_role_b]
    cumulativeRTSrchJobsQuota = 0
    cumulativeSrchJobsQuota = 0
    importRoles = user
    srchDiskQuota = 130
    srchFilter = (ConfigVersionId=86 (Address=*))
    srchIndexesDefault = iselogs
    srchMaxTime = 0

This works well, and when this user runs the search, the srchFilter from role_b appears to work:

litsearch ( index=* ) ( ( ( ConfigVersionId=86 ( Address=* ) ) ) )

However, what I would like is only to have the srchFilter be applied to the indexes of roleb, but not rolea (ie. the filtering should not be applying to both _audit and _internal indexes).

I have tried setting srchFilter = * in role_a:

[role_role_a]
importRoles = user
srchFilter = *
srchIndexesAllowed = _audit;_internal
srchIndexesDefault = _audit;_internal
srchMaxTime = 0

But that seems to override the srchFilter for role_b.

Highlighted

Re: srchFilter Role Inheritance: If a user is a member of two roles, how to have the srchFilter apply to indexes of one role, but not the other?

Champion

I'm assuming that you're using an apex role to inherit both rolea and roleb. In this case, you can do a search (as admin) like | rest /services/authorization/roles/role_APEX and look at the imported search filters. If you're not using an apex role, and simply assigning a user both roles simultaneously, I think it's going to be a lot harder to debug. There's not a way that I know of to ask "what would the final filter be?" if you're not using an apex role. You're left trying to intuit what Splunk has implemented on your behalf by testing searches over and over. It may be that one inheritance is actually trumping another, perhaps even down to the name of the role (a coming before b, etc).

I'd approach the problem by setting up an apex role (inheriting from both inferior roles) and then setting an explicit search filter on that role, e.g. (index=internal OR index=audit) OR (index=* (ConfigVersionId=86 (Address=*))). It's ugly, but you'd be sure of what the filter is.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.