We have a fairly large deployment with 60 plus individual apps. These are used almost exclusively by DEVOPS and we haven't really had a need to limit users from using apps/views.
Now we have a need to expose some data to 200 people outside of IT and would like to determine the best way to prevent them from being able to just poke around... i.e. limit them to a specific APP and/or Views/Dashboards within that app and not allow them access to Search within that app.
Based on docs, to grant a role only access a single App it looks like I need to:
Remove "everyone" access from all apps and grant each existing role specific access to all 60+ existing apps
Create a new role with most capabilities of user (e.g. user_external)
Grant user_external access only to the apps/views needed
Do I have this right? If so any suggestions as to the best way to go about it?
For background, I am power user/developer without full admin access who just got admin certification. I will be bringing approaches to the Splunk admin team to execute and want to bring best practice to the table as we haven't done this before.
Thanks!
... View more