i have a user access dilemma:
i have 10 indexes. index=index_a, index_b,index_c,index_d,index_e,index_f,index_g,index_h,index_i,index_k,index_l,index_m.
my normal userbase i gave them access via "srchIndexesAllowed = index_*"
now i created a new index, index= index_x, how do i make sure only admin or certain roles have access to it, because the index_* covers everything, and would cover this new index too, which i dont want.
Appreciate the answers in advance.
I'm not sure of the backend field name but that appears to be using just restricted indexes. Have you looked into search time restrictions? I can't in good conscience mention that without also mentioning going that route introduces some PITA issues you wouldn't expect but also don't want to write them all out. We've had tickets that Splunk has largely ignored for almost 2 years on this. I think I made the mistake of categorizing them as enhancement requests vs bugs /sigh.
You might look into securing access to indexes by using additional roles. One or more users could be a member of each role. Each role would grant access to a set of indexes or might only grant access to a single index.
This would likely require you to remove your wild card approach and remove index access granted to your user role. i.e. user role no longer gives access to indexes.
i can do it, its just the convention we are, we'd like to stay with it. but if its a last resort, i might have to. I just thought i read something about being able to blacklist indexes so that a role cannot have access to it. was wondering if someone could give me a clear example of how to implement something like that. thx
The index list in the roles is the only secure way to go.
Remember that you can have role inheriting, so you could have a parent role with * and role with only_this_index, to simplify the management.
PS : the search filters conditions per roles not meant to restrict access, just add extra search conditions.
thanks rob. We did it this way for scalability reasons, we actually have alot more than 10 indexes and everytime we add an index, we dont want to have to update the authorize.conf file to added it to the srchIndexesAllowed = path. since our naming convention of 'index_?' wont change, its better for us to leave it as a wildcard of index_*.
i was thinking along the lines of possibly putting in a blacklist for index_x, so that all indexes are searchable except those belonging to a blacklist....any thoughts?
Ok, so your scenario is that most of the time all users are given access to all indexes and once in a while an index which has more sensitive event data comes along and you have to restrict it. Wondering if you just change your new index name to index-secure_x rather than index_x so it wouldn't match your pattern rule by default? I'm guessing here as I haven't tested wildcarding index access myself.