Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Restrict access so users can only view specific lo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrict access so users can only view specific lookups
Hello,
I have a new set of users who I want to only be able to access 2 specific lookups. However, those lookups need to be viewed by my other general users still. As of now- I don't have separate apps set up for anything -everything lives in Search & Reporting.
What is the best way to approach this situation so that my users will only be able to view the 2 lookups in a dashboard but not access any other data?
EDIT:
I have thought about it and I think the below method may work- is this a way to approach the problem?
Create a new role and give it all of the same capabilities as the user-role but do not give the role access to any indexes. All of my lookups are global permissions so they will be able to see the necessary lookups.
Downfalls- they will be able to see all lookups (but not a huge concern if they dont know the name of the lookup and are not searching for other data), they will see other dashboards (but the data in the dashboards will be blank correct?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi katzr,
When you say
All of my lookup are global permissions
Are you talking about the object context (shared in all Apps) or saying read permissions are set to everyone?
Because if you do create a new role, I think you could assign Read permissions to it for specific lookups only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The read permissions are set to everyone. How can I set the read permissions to specific lookup only for a role?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Settings > Lookups > Lookup Table Files
then click Permissions hyperlink for the specific lookup, uncheck Everyone for the Read Column and check for the role(s) you want to assign read permissions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only good RBA in Splunk is access to particular index values; everything else is paper thin and easily bypassed. Therefore, the only thing that might work is a scripted lookup that creates a temporary lookup from a splunk search against a static index where the lookup data has been indexed and saves it to a random lookup name, uses the lookup and then deletes the lookup. This is really tempting me to try and create this but I am too busy. It should work though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock thank you for the help- let's say that it is okay if they can view all of the lookups- they wouldn't be able to view any of the indexes though if I don't assign the role the permissions correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, restrictions to index data is pretty solid.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
