Solved: How to lockdown user write access to indexes

edgarrity · ‎06-14-2022

Our users have discovered that they can add data to indexes. This could lead to a user accidently polluting a production index. I searched the Splunk documentation and the Internet but was unable to find a solution.

Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

jamie00171 · ‎06-14-2022

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

View solution in original post

jamie00171 · ‎06-14-2022

hi @edgarrity ,

Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin.

If they are adding files through UI then you could remove the inputs_file capability from the roles.

If they are adding inputs then you could remove the edit_monitor capability.

Thanks,

Jamie

jamie00171 · ‎06-14-2022

Please see here for list of capabilites: https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Rolesandcapabilities

edgarrity · ‎06-14-2022

Thanks. Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?

jamie00171 · ‎06-14-2022

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

How to lockdown user write access to indexes

administration

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...