We have multiple department and its data indexed into splunk indexer, how can we define roles / permission to access their specific department content / search / indexes / sourcetype. if a user "A", belong to department "D1" and "D2", User "A" should have only permission to their SourceType / content / search / dashboard belongs "D1" and "D2".
Can you please suggest the optimized solution for this in splunk user management?.
What we have done is to create separate apps, we call them "workspaces", for each group. A Role is created for the group/department and assigned write access for their app. (this is done via the app management)
If the data for a group needs to be segmented we would create a separate index, the groups Role would then be given access to this index. (this is done via access controls)
You can learn more about assigning the permissions here. http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Aboutusersandroles
My Suggestion would be this.
This way if roledept1 is set to access only indexdept1 and all dept1 related Splunk objects are assigned read/write only to roledept1, then a user in roledept1 (only ) can access dept related data/objects only.
We use both answers given previously:
1) Separate indexes for dept
2) Careful read/write permissions and index access
3) 1 app per dept
Step 3 is the most difficult because if you create apps for your departments, you will have to avoid too much difference between all these apps or it will become impossible to maintain. So we have created a "master" app that we customize department per department in a very strict way : basically, for each department, we remove the views they don't need.