I have a local instance on my laptop for demo purposes, so no complex deployment on this machine.
I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches.
I then create a role named "role1":
1. Inheritance: none
2. Capabilities: run_collect, run_mcollect, schedule_rtsearch, search
3. Indexes: main
4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event) - If tested, this spl correctly returns the results I want the role to be able to search on
5. Resources: Nothing changed
I then save the role and assign it to the demo user. I also restarted splunk as docs says.
When I login with demo user, I can see all the events and is not filtering by the restrictions of its role.
Any clue on this?
I have same problem with Splunk 7.0.
Let's assume there's a role "my_role". In my case that role had inherited role "power" and that was the problem. After switching from "power" to "user", the restriction worked.
Yes, that would do. In my case i didn't inherited any role but it all has to do with license permission. Search restriction works fine.