Security

Restrict Users to Search Specific Indexes

IRHM73
Motivator

Hi, I wonder whether someone could help me please.

I have a number of teams who have Splunk apps which contain the 'search' functionality, with each app allocated it's own role which in turn, we assign to users.

I'm now wanting to allocate the roles to specific indexes for the purpose of increased efficiency and security which I'm comfortable and able to do.

I'm told, that although the 'search' function is a link within the app, I'm not able to restrict the indexes via the role to prevent users being able to search indexes not pertinent to the user.

Could someone please confirm for me whether this is correct or not?

Many thanks and kind regards

Chris

0 Karma
1 Solution

renjith_nair
Legend

You can restrict a role to search only specific indexes

Settings  » Access controls » Roles »

Edit the role and you can set which indexes can be accessed by this role by setting the values under

Indexes

Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

You can restrict a role to search only specific indexes

Settings  » Access controls » Roles »

Edit the role and you can set which indexes can be accessed by this role by setting the values under

Indexes

Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Check step 7 in https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/Addandeditroles#Add_or_edit_a_role

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

IRHM73
Motivator

Hi @renjith.nair, thank you for coming back to me with this.

Just to be absolutely sure. If a user uses the search window to type in a 'raw' search they can only do so on the indexes assigned to the role?

Many thanks and kind regards

Chris

0 Karma

renjith_nair
Legend

Hello Chris,

If an index is assigned to the role under "Selected search indexes", then all the users associated under the role can only access that particular index unless you have another role which has other indexes. If you have more than one role assigned to a user, then it will be a union of all indexes of all roles.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

IRHM73
Motivator

Hi @renjith.nair.

Many thanks for the confirmation.

Kind Regards

Chris

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...