Our users have discovered that they can add data to indexes. This could lead to a user accidently polluting a production index. I searched the Splunk documentation and the Internet but was unable to find a solution.
Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?
hi @edgarrity ,
Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin.
If they are adding files through UI then you could remove the inputs_file capability from the roles.
If they are adding inputs then you could remove the edit_monitor capability.