Splunk Enterprise

How to best manage AD groups, users, roles and index access?

Path Finder


I have two indexes and three users.  Each user is in specific AD group.  Each group is mapped to a respective role.  Each role gives access to a specific index(es).

user_a can only search index_a, user_b only index_b and user_c can search both.  Restricting access to indexes is important.


AD group
user_idx_a (user_a is a member)
user_idx_b (user_b is a member)
user_idx_all (user_c is a member)

Users and roles
user_a has role role_a
user_b has role role_b
user_c has role role_c


importRoles = user
srchIndexesDefault = index_a
srchIndexesDisallowed = index_b

importRoles = user
srchIndexesDefault = index_b
srchIndexesDisallowed = inbex_a

importRoles = user

That's all fine. But as more indexes are added, I wonder how this will scale, especially where, for example, user_d needs access to newly created index_d, plus say index_a.  I will now need a new AD group (user_idx_d), a new role (role_role_a_d) and a suitable entry in authorize.conf

I've gained some mileage from putting index restrictions on the inherited (user) role.  For example:

srchIndexesDisallowed = main;splunklogger;summary

I had thought I would put users in multiple AD groups, but whilst membership brings a new role / index, it also means I end up with conflicting 'disallowed' directives.

Is there a better way?  Or have I reduced the administration to the minimum whilst maintaining index access granularity?

Many thanks.

Labels (2)
Tags (1)
0 Karma



My company also faced the same issue. Splunk have a very restricted way of doing RBAC. Until now they do not have any fixes on this. Do you have any luck on this thus far? 



Anton Yeo 

0 Karma



you should found answer to your issue from this conf presentation.


r. Ismo

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...