Splunk Enterprise

How to best manage AD groups, users, roles and index access?

Path Finder


I have two indexes and three users.  Each user is in specific AD group.  Each group is mapped to a respective role.  Each role gives access to a specific index(es).

user_a can only search index_a, user_b only index_b and user_c can search both.  Restricting access to indexes is important.


AD group
user_idx_a (user_a is a member)
user_idx_b (user_b is a member)
user_idx_all (user_c is a member)

Users and roles
user_a has role role_a
user_b has role role_b
user_c has role role_c


importRoles = user
srchIndexesDefault = index_a
srchIndexesDisallowed = index_b

importRoles = user
srchIndexesDefault = index_b
srchIndexesDisallowed = inbex_a

importRoles = user

That's all fine. But as more indexes are added, I wonder how this will scale, especially where, for example, user_d needs access to newly created index_d, plus say index_a.  I will now need a new AD group (user_idx_d), a new role (role_role_a_d) and a suitable entry in authorize.conf

I've gained some mileage from putting index restrictions on the inherited (user) role.  For example:

srchIndexesDisallowed = main;splunklogger;summary

I had thought I would put users in multiple AD groups, but whilst membership brings a new role / index, it also means I end up with conflicting 'disallowed' directives.

Is there a better way?  Or have I reduced the administration to the minimum whilst maintaining index access granularity?

Many thanks.

Labels (2)
Tags (1)
0 Karma



My company also faced the same issue. Splunk have a very restricted way of doing RBAC. Until now they do not have any fixes on this. Do you have any luck on this thus far? 



Anton Yeo 

0 Karma



you should found answer to your issue from this conf presentation.


r. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...