Hi,

I have installed Splunk Enterprise system with multiple users. Each our user has access only to specified indexes.

In our Searchhead I have installed Splunk DB Connect App. This app include two user roles:

db_connect_admin (with admin permissions)
db_connect_user (with user permission)

To allowed my users (~400 users) use Splunk DB Connect App I have assigned for each user new role - db_connect_user.

After few weeks one of my users discovered that he has full access to all indexes. I was really surprised because till now everything was restricted. I have reviewed all roles and I realised that each user with assigned role db_connect_user has full access to all indexes. This is enterprise system with a lot of indexes with sensitive informations.

Problem is generated by this field (Role -> Indexes -> All non-internal indexes) which cannot be deactivated in GUI (or I do not know how to do it - maybe some one will help here) :

I have got information from support that this capability cannot be deactivated, which is wrong.

I have deinstalled Splunk DB Connect App - and everything get back to normal.

I just would like to warn all users, that installation of that addon generating high risk of data leak.

I have opened ticket to support but as I see our discussion going to nowhere...

Maybe some one will be able to help me and tell me how to deactivate in role field "indexes > All non-internal indexes " ???

I`m using latest release of that App and Splunk 8.0.

I appreciate any hints.

Cheers
Konrad