Splunk Enterprise Security

creating an index accessible to only one Splunk role .

pranavna
Explorer

I want to create an index which will have sensitive data and want it to be accessible by only admin team and security team.

basically exactly opposite of https://answers.splunk.com/answers/301280/how-to-restrict-access-to-one-certain-index-withou.html

I don't want to add search filter for each and every role as we have 100 roles and its a maintenance nightmare.
is there any elegant way to do this?

0 Karma

lakshman239
SplunkTrust
SplunkTrust

One option would be create a new role, say role_sensitive_data and setup that role to search index=sensitive. You can then inherit this role for 'admin' and 'security team'. This would also depend on how you have setup your 100's of roles [ I assume they don't search all indexes by default and you would have restricted them to what they need to search by index names]

pranavna
Explorer

again, We have nearly 130 indexes we can not add the capabilities to rest of the users. having role_sensitive_data we can not restrict others to not use it.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

How have you mapped the 130 indexes to the users? do you not have 1 role mapped to one or more indexes?

pranavna
Explorer

when you create an index every one has access to that index by default. I have not added mapping of any sort.

IDK, if i am able to convey what i want.

basically, if we create an index , any data there should be visible to only 1 team/role.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...