Getting Data In

Permissions on indexes and sourcetypes

Ant1D
Motivator

Hey,

I know that you can set read/write permissions on views.

Is it possible to set read permissions on indexes and sourcetypes?

I ask this because it might be good to just prevent certain Splunk users from being able to read data from a particular index. It may be easier to have this functionality instead of turning off read/write access to every view that uses an index/sourcetype that you do not want certain users to have access to.

Thanks in advance for your help.

2 Solutions

ziegfried
Influencer

Yes, it's possible to restrict access to an index for a role. You can select the visible indexes for every role at Manager » Access controls » Roles » your role under Indexes. You can specify the default indexes (those are searches when no explicit index is specified in the search).

Restricting access to a sourcetype is more compliated. It can only be done by defining Search restrictions for a role, such as

NOT sourcetype=mysourcetype

View solution in original post

Genti
Splunk Employee
Splunk Employee

This is already in place.
If you would like users to only access part of the data, then you make sure that you split the data in different indexes. Then, you assign the "default indexes" and "indexes" to specific roles.

You need to go to Manager » Access controls » Roles » user and give specific permissions to the role.
Default indexes = what a default search will look at.
Indexes = what a user can actually specify in the search, for example, "index=abcd"

Default indexes
Set the index(es) that searches default to when no index is specified. User with this role can search other indexes using index= (e.g., "index=special_index").


Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

View solution in original post

w531t4
Path Finder

The OP mentioned that he had concerns about users writing to indexes as well (i'm guessing a good example would be a user running |collect)... Does anyone know how to protect from users writing to indexes?

mcronkrite
Splunk Employee
Splunk Employee

Yes, you retrict the acl on the indexers inputs.conf

acceptFrom = ...
* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces

Inputs Conf Spec

0 Karma

Genti
Splunk Employee
Splunk Employee

This is already in place.
If you would like users to only access part of the data, then you make sure that you split the data in different indexes. Then, you assign the "default indexes" and "indexes" to specific roles.

You need to go to Manager » Access controls » Roles » user and give specific permissions to the role.
Default indexes = what a default search will look at.
Indexes = what a user can actually specify in the search, for example, "index=abcd"

Default indexes
Set the index(es) that searches default to when no index is specified. User with this role can search other indexes using index= (e.g., "index=special_index").


Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

View solution in original post

Ant1D
Motivator

Thanks for the info Genti. If both answers could be ticked I would have done that. Maybe that's an idea for an updated version of Splunk Answers.

0 Karma

dfrankekcg
Explorer

Note: you need to prevent the role from inheriting from the User role. Inheriting from the User role gives the new role access to all non internal indexes by default.

0 Karma

ziegfried
Influencer

Yes, it's possible to restrict access to an index for a role. You can select the visible indexes for every role at Manager » Access controls » Roles » your role under Indexes. You can specify the default indexes (those are searches when no explicit index is specified in the search).

Restricting access to a sourcetype is more compliated. It can only be done by defining Search restrictions for a role, such as

NOT sourcetype=mysourcetype

View solution in original post

Ant1D
Motivator

This is useful to know as I might restrict some users access to certain sourcetypes in my Splunk instance. Thanks again.

0 Karma