Splunk Cloud Platform

How to lockdown user write access to indexes

edgarrity
Path Finder

Our users have discovered that they can add data to indexes.  This could lead to a user accidently polluting a production index.  I searched the Splunk documentation and the Internet but was unable to find a solution.  

Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?

Labels (1)
0 Karma
1 Solution

jamie00171
Communicator

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

View solution in original post

jamie00171
Communicator

hi @edgarrity ,

Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin. 

If they are adding files through UI then you could remove the inputs_file capability from the roles. 

If they are adding inputs then you could remove the edit_monitor capability.

Thanks, 

Jamie

jamie00171
Communicator

edgarrity
Path Finder

Thanks.  Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?

0 Karma

jamie00171
Communicator

No problem, from my experience (with Splunk enterprise) the changes take place immediately.

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...