I have installed Splunk Enterprise system with multiple users. Each our user has access only to specified indexes.
In our Searchhead I have installed Splunk DB Connect App. This app include two user roles:
db_connect_admin (with admin permissions)
db_connect_user (with user permission)
To allowed my users (~400 users) use Splunk DB Connect App I have assigned for each user new role - db_connect_user.
After few weeks one of my users discovered that he has full access to all indexes. I was really surprised because till now everything was restricted. I have reviewed all roles and I realised that each user with assigned role db_connect_user has full access to all indexes. This is enterprise system with a lot of indexes with sensitive informations.
Problem is generated by this field (Role -> Indexes -> All non-internal indexes) which cannot be deactivated in GUI (or I do not know how to do it - maybe some one will help here) :
I have got information from support that this capability cannot be deactivated, which is wrong.
I have deinstalled Splunk DB Connect App - and everything get back to normal.
I just would like to warn all users, that installation of that addon generating high risk of data leak.
I have opened ticket to support but as I see our discussion going to nowhere...
Maybe some one will be able to help me and tell me how to deactivate in role field "indexes > All non-internal indexes " ???
I`m using latest release of that App and Splunk 8.0.
I appreciate any hints.
it's a pity that there are no such section "security considerations" in a planing manual https://docs.splunk.com/Documentation/DBX/3.3.0/DeployDBX/Architectureandperformanceconsiderations, but there is an indication between the lines that DBConnect should be installed on a heavy forwarder,