Solved: How to lockdown user write access to indexes

edgarrity · ‎06-14-2022

Our users have discovered that they can add data to indexes. This could lead to a user accidently polluting a production index. I searched the Splunk documentation and the Internet but was unable to find a solution.

Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

jamie00171 · ‎06-14-2022

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

View solution in original post

jamie00171 · ‎06-14-2022

hi @edgarrity ,

Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin.

If they are adding files through UI then you could remove the inputs_file capability from the roles.

If they are adding inputs then you could remove the edit_monitor capability.

Thanks,

Jamie

jamie00171 · ‎06-14-2022

Please see here for list of capabilites: https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Rolesandcapabilities

edgarrity · ‎06-14-2022

Thanks. Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?

jamie00171 · ‎06-14-2022

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

How to lockdown user write access to indexes

administration

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to lockdown user write access to indexes

administration

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!