Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to lockdown user write access to indexes

edgarrity
Path Finder
‎06-14-2022 06:50 AM

Our users have discovered that they can add data to indexes.  This could lead to a user accidently polluting a production index.  I searched the Splunk documentation and the Internet but was unable to find a solution.  

Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jamie00171
Communicator
‎06-14-2022 02:33 PM

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

View solution in original post

Reply
Solved! Jump to solution

jamie00171
Communicator
‎06-14-2022 08:57 AM

hi @edgarrity ,

Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin. 

If they are adding files through UI then you could remove the inputs_file capability from the roles. 

If they are adding inputs then you could remove the edit_monitor capability.

Thanks, 

Jamie

Reply
Solved! Jump to solution

jamie00171
Communicator
‎06-14-2022 08:57 AM

Please see here for list of capabilites: https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Rolesandcapabilities

Reply
Solved! Jump to solution

edgarrity
Path Finder
‎06-14-2022 09:15 AM

Thanks.  Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?

0 Karma
Reply
Solved! Jump to solution
Solution

jamie00171
Communicator
‎06-14-2022 02:33 PM

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...