Solved: user role to specific index not working with index...

sarit_s · ‎06-09-2019

Hello
i have several reports that contains the search index=something__something
in my case, '' is the name of the region

i've created a role that has access to only one index (i have index per region)
and set this role to a user

when im searching with this user on specific index, the role is working but when im running the report with index=something_*_something it is not working and im getting all the data

is it possible to set roles on indexes when searching for index=*?

DavidHourani · ‎06-10-2019

Hi @sarit_s,

Good question and yes it's absolutely possible ! The report you're running could be using a different user than the one you are when testing the search on the search interface. So please verify that.

Once that's verified, make sure that user is configured to use only the indexes that he's allows to see. steps are here :
https://docs.splunk.com/Documentation/PCI/3.8.0/Install/ConfigureUsersRoles#Configure_the_roles_to_s...

Let me know if that works!

Cheers,
David

View solution in original post

DavidHourani · ‎06-10-2019

Hi @sarit_s,

Good question and yes it's absolutely possible ! The report you're running could be using a different user than the one you are when testing the search on the search interface. So please verify that.

Once that's verified, make sure that user is configured to use only the indexes that he's allows to see. steps are here :
https://docs.splunk.com/Documentation/PCI/3.8.0/Install/ConfigureUsersRoles#Configure_the_roles_to_s...

Let me know if that works!

Cheers,
David

sarit_s · ‎06-10-2019

Hi @DavidHourani
this is exactly what i did and the results are as i wrote in my question

how can i verify which user is running the job except of checking which user is logged in ?

DavidHourani · ‎06-10-2019

The user running the search IS the user logged in. The user running the report is the owner of the report. Have a look who owns the report, if it's admin, then it will run over all indexes because of the *.

sarit_s · ‎06-10-2019

oh.. ok
is it possible to control it ?
since all the reports was created by admin but now i have multiple users that has to run this reports

DavidHourani · ‎06-10-2019

yeah you can change it from savedsearch.conf and form the GUI. But if you want to run the report in a scheduled way each user must own their own report to get different results 🙂

sarit_s · ‎06-10-2019

wow. it's crazy to manage such thing !
there is no other way ?

DavidHourani · ‎06-10-2019

it works perfectly well for your dashboards when you use something like thisindex=something_*_something, but yeah for saved searches and reports they will always run with the owner's account..

sarit_s · ‎06-10-2019

thanks !

sarit_s · ‎06-11-2019

Hey
just an update, maybe it can be helpful to other

when setting report's permissions it is possible to choose if the report will run as the report's owner or by user

i don't know if it is a new feature but it is there 🙂

user role to specific index not working with index=*

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?