Hey,
I know that you can set read/write permissions on views.
Is it possible to set read permissions on indexes and sourcetypes?
I ask this because it might be good to just prevent certain Splunk users from being able to read data from a particular index. It may be easier to have this functionality instead of turning off read/write access to every view that uses an index/sourcetype that you do not want certain users to have access to.
Thanks in advance for your help.
Yes, it's possible to restrict access to an index for a role. You can select the visible indexes for every role at Manager » Access controls » Roles » your role under Indexes. You can specify the default indexes (those are searches when no explicit index is specified in the search).
Restricting access to a sourcetype is more compliated. It can only be done by defining Search restrictions for a role, such as
NOT sourcetype=mysourcetype
This is already in place.
If you would like users to only access part of the data, then you make sure that you split the data in different indexes. Then, you assign the "default indexes" and "indexes" to specific roles.
You need to go to Manager » Access controls » Roles » user
and give specific permissions to the role.
Default indexes = what a default search will look at.
Indexes = what a user can actually specify in the search, for example, "index=abcd"
Default indexes
Set the index(es) that searches default to when no index is specified. User with this role can search other indexes using index= (e.g., "index=special_index").
Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.
The OP mentioned that he had concerns about users writing to indexes as well (i'm guessing a good example would be a user running |collect)... Does anyone know how to protect from users writing to indexes?
Yes, you retrict the acl on the indexers inputs.conf
acceptFrom = ...
* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces
This is already in place.
If you would like users to only access part of the data, then you make sure that you split the data in different indexes. Then, you assign the "default indexes" and "indexes" to specific roles.
You need to go to Manager » Access controls » Roles » user
and give specific permissions to the role.
Default indexes = what a default search will look at.
Indexes = what a user can actually specify in the search, for example, "index=abcd"
Default indexes
Set the index(es) that searches default to when no index is specified. User with this role can search other indexes using index= (e.g., "index=special_index").
Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.
Thanks for the info Genti. If both answers could be ticked I would have done that. Maybe that's an idea for an updated version of Splunk Answers.
Note: you need to prevent the role from inheriting from the User role. Inheriting from the User role gives the new role access to all non internal indexes by default.
Yes, it's possible to restrict access to an index for a role. You can select the visible indexes for every role at Manager » Access controls » Roles » your role under Indexes. You can specify the default indexes (those are searches when no explicit index is specified in the search).
Restricting access to a sourcetype is more compliated. It can only be done by defining Search restrictions for a role, such as
NOT sourcetype=mysourcetype
This is useful to know as I might restrict some users access to certain sourcetypes in my Splunk instance. Thanks again.