We observed a security loophole in Splunk Enterprise Security. We have restricted permission on "Y" index in Splunk to "X" role participants only. Other members, except team X, are not able to view data in that index when they are running query (index="Y") but when someone from x team forwards the search link after running query index="Y" to other team, they are able to view data in that index. I believe the reason is when they share the search link they are sharing sid associated with that search, which is why security is bypassed.
Can someone please help us to understand why this is happening?
... View more