Restrict searches for a role using search terms is...

totalfroggy · ‎07-14-2020

Hi All.

I have a local instance on my laptop for demo purposes, so no complex deployment on this machine.

I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches.

I then create a role named "role1":

1. Inheritance: none

2. Capabilities: run_collect, run_mcollect, schedule_rtsearch, search

3. Indexes: main

4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event) - If tested, this spl correctly returns the results I want the role to be able to search on

5. Resources: Nothing changed

I then save the role and assign it to the demo user. I also restarted splunk as docs says.

When I login with demo user, I can see all the events and is not filtering by the restrictions of its role.

Any clue on this?

Thanks!

vzabawski · ‎09-07-2020

I have same problem with Splunk 7.0.

Let's assume there's a role "my_role". In my case that role had inherited role "power" and that was the problem. After switching from "power" to "user", the restriction worked.

MLGSPLUNK · ‎09-07-2020

Yes, that would do. In my case i didn't inherited any role but it all has to do with license permission.

Search restriction works fine.

Restrict searches for a role using search terms is not working

other

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!