Hi
I have an index named "xyz" and inside that, I have data from different sources (a,b,c etc). I want to restrict permission on index=xyz source=a
instead of the whole index. Is this possible to do? If yes, how can i do it?
please help.
Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.
https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Aboutusersandroles
https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Addandeditroles#Search_filter_format
There is nothing that cannot be trivially bypassed. You can send the data twice (double license hit) once to the everybody
index and once (filtered to remove source=a
) to the somebodies
index. Or you can use ... | NOT source=a | collect
in a scheduled search to a summary index (free).
Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.
https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Aboutusersandroles
https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Addandeditroles#Search_filter_format
I was able to do this by using search filter but I would suggest to get data in separate index and restrict permission on that instead of source level. Restricting permission at source level is very difficult to maintain in long run and is little complicated.
Not effectively no. Index is the fundamental ACL boundary.