Splunk Cloud Platform

How to lockdown user write access to indexes

edgarrity
Path Finder

Our users have discovered that they can add data to indexes.  This could lead to a user accidently polluting a production index.  I searched the Splunk documentation and the Internet but was unable to find a solution.  

Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

Labels (1)
0 Karma
1 Solution

jamie00171
Communicator

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

View solution in original post

jamie00171
Communicator

hi @edgarrity ,

Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin. 

If they are adding files through UI then you could remove the inputs_file capability from the roles. 

If they are adding inputs then you could remove the edit_monitor capability.

Thanks, 

Jamie

jamie00171
Communicator

edgarrity
Path Finder

Thanks.  Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?

0 Karma

jamie00171
Communicator

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...