Defining new user in a new role with access to a s...

MoienABO · ‎12-05-2022

Hi splunkers,

I've defined a new role and check all capabilities for that but just access to a specific index. when i search in that index, it doesn't show any results for me. With another user and another role i can search in that index. Something wired is when i change the user role to for example "user", the search results shown. is there a limit in number of roles can be defined in splunk? How can i troubleshoot these kindes of permissions in splunk logs?

MoienABO · ‎12-07-2022

Thanks for your answer

all capabilities for that role are checked and in "indexes" section, cisco-asa, cisco-devices, cisco-ise, dhcp, fortigate and waf are checked. Here is a picture of authorize.conf:

richgalloway · ‎12-07-2022

And which index is the one you're trying to access and can't?

---
If this reply helps you, Karma would be appreciated.

MoienABO · ‎12-07-2022

All of indexes listed above

richgalloway · ‎12-06-2022

The number of roles defined is not the issue. Either the role or the user is defined incorrectly. Please share the settings for the role, in particular the "indexes" tab.

---
If this reply helps you, Karma would be appreciated.

Defining new user in a new role with access to a specific index, does not show results

administration

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms