Splunk Cloud Platform

How to lockdown user write access to indexes

edgarrity
Path Finder

Our users have discovered that they can add data to indexes.  This could lead to a user accidently polluting a production index.  I searched the Splunk documentation and the Internet but was unable to find a solution.  

Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

Labels (1)
0 Karma
1 Solution

jamie00171
Communicator

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

View solution in original post

jamie00171
Communicator

hi @edgarrity ,

Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin. 

If they are adding files through UI then you could remove the inputs_file capability from the roles. 

If they are adding inputs then you could remove the edit_monitor capability.

Thanks, 

Jamie

jamie00171
Communicator

edgarrity
Path Finder

Thanks.  Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?

0 Karma

jamie00171
Communicator

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...