Security

Permissions and Accelerated Search

tdiestel
Path Finder

I have question concerning Accelerated Search and Data Model Acceleration, but before I ask it let me give you some background on what I plan to do. Currently, I'm trying to scope out what needs to be done when I bring on new clients without having to have multiple environments, dashboards, queries, etc. One thought was that when I bring on a new client, I just create new Indexes with a specific suffix ( such as index_name_"Insert Client Name Here" ) and then change my dashboard queries to be index=index_name* thus it will cover all the clients for the specific index type. Last we will just need to set up specific Roles that can only look at specific indexes, thus when let's say CLIENT_A run the query index=index_name* they only will receive info from index=index_name_CLIENT_A and not index=index_name_OTHER_CLIENTS. This way I can manage many clients with the same queries and not have to worry about making changes to each of their specific dashboards. Then if they want something specific geared only to them, I will create a new dashboard that will only be viewable by the role for their users.

With that in mind, do you think that when I create an accelerated search or a data model that the data in those models will still inherit the permissions I designated for their roles? So keeping with our example, if I have an Accelerated Search with index=index_name* and a user with the CLIENT_A role was to use it, they would only receive data for index=index_name_CLIENT_A and still take advantage of the accelerated search's summaries.

0 Karma

tdiestel
Path Finder

The permissions to the specific indexes are kept, you just have to ensure that the users permissions enable them to use accelerated searches and data models.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

While I don't know the answer off the top of my head, this should be fairly straightforward to test. Set up two indexes according to your naming scheme along with two roles that can each see only one index. Dump some test data into each index, set up a simple search (index=test_indexes* | stats count by index or whatever) and accelerate that. Then log in with either user and see what's what.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...