Our users have discovered that they can add data to indexes. This could lead to a user accidently polluting a production index. I searched the Splunk documentation and the Internet but was unable to find a solution.
Does anyone know how we can restrict write-access to indexes to the sc_admin role and allow read access for everyone else?
No problem, from my experience (with Splunk enterprise) the changes take place immediately.
hi @edgarrity ,
Assuming the users are adding data via the collect command then you could remove the "run_collect" capability from user roles apart from sc_admin.
If they are adding files through UI then you could remove the inputs_file capability from the roles.
If they are adding inputs then you could remove the edit_monitor capability.
Thanks,
Jamie
Please see here for list of capabilites: https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Rolesandcapabilities
Thanks. Do I need to restart Splunk Cloud after making changes to users capabilities or will the changes take effect immediately?
No problem, from my experience (with Splunk enterprise) the changes take place immediately.