Hi There,
I am having a Distributed Splunk setup with a Search Head and 2 Indexers. I have few roles setup(Integrated to AD) with in the system with a role associated with a particular Index (srchIndexesAllowed = "
I would need this to be implemented in my Environment to have complete control. How can I achieve this.
Regards
Anirudh
Make sure your roles aren't inheriting more lenient permissions from parent roles.
srchIndexesAllowed should Ideally have taken care of it. It the user being part of multiple group that caused this behaviour.