I want to create an index which will have sensitive data and want it to be accessible by only admin team and security team.
basically exactly opposite of https://answers.splunk.com/answers/301280/how-to-restrict-access-to-one-certain-index-withou.html
I don't want to add search filter for each and every role as we have 100 roles and its a maintenance nightmare.
is there any elegant way to do this?
One option would be create a new role, say role_sensitive_data and setup that role to search index=sensitive. You can then inherit this role for 'admin' and 'security team'. This would also depend on how you have setup your 100's of roles [ I assume they don't search all indexes by default and you would have restricted them to what they need to search by index names]
again, We have nearly 130 indexes we can not add the capabilities to rest of the users. having role_sensitive_data we can not restrict others to not use it.
How have you mapped the 130 indexes to the users? do you not have 1 role mapped to one or more indexes?
when you create an index every one has access to that index by default. I have not added mapping of any sort.
IDK, if i am able to convey what i want.
basically, if we create an index , any data there should be visible to only 1 team/role.