Security

Restricting index access from apps

keerthana_k
Communicator

Hi,

We have two separate analytic apps running in a single setup. Users should be able to access both the apps and view the dashboards present in them. However, currently it is possible for a user to search for data of an app using the search page of the other app.

For example, if we have two apps A and B using indexes indexA and indexB respectively, users are able to search for data contained in indexB from app A's search page.

We want to restrict this in such a way that a user searching in app A should be allowed access only to indexA and user searching in app B should be allowed to access only indexB.

Is this possible? If so, please let me know how it can be done.

Thanks in advance

Keerthana

Tags (2)
0 Karma

kml_uvce
Builder

Hi Keerthana

kindly accept my ans. if it solves your problem...

0 Karma

bkondakindi
Path Finder

couple of way.

from index side you create a index rectrict
Create a local account on add roles to users

role_mvas_user1]
accelerate_datamodel = enabled
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = ;_;_audit;_blocksignature;_internal;_introspection;_thefishbucket;adprod;adtest;aix;akamai;am_prod;am_test;bcoat_logs;citrix_licensing;citrix_licensing_alerts;coheren
ce;collect_brokerage_tid;devops;dpw_prod;dpw_test;f5_prod;f5_test;fe;firedalerts;fireeye;hadoop;history;infra;linux;main;msad;msexchange;network;os;perfmon;rsa_daily_errors;security;service
_prod;service_test;sos;sos_summary_daily;summareakamaivfirst;summary;summary_akamai_vfirst;summary_forwarders;summary_hosts;summary_impersonations;summary_impersonations_test;summary_indexe
rs;summary_network_securesession;summary_pools;summary_rsa;summary_rsa_test;summary_rsa_test2;summary_sources;summary_sourcetypes;test;ud_prod;ud_test;unix;unix_summary;util_prod;util_test;
web;web_prod;web_test;windows;winevents;xenapp;xenapp_alerts;xenapp_perfmon;xenapp_winevents

0 Karma

nefeli
New Member

As the answer provided by kml_uvce is the best solution in terms of security, I'm thinking in an alternative solution. It's considerably less secure and I wouldn't recommend it, I'm just trying to give you more choices.

If you don't want to force the user to logout and login again in order to change the app, you can mask the real index name with an automatic lookup as explained in http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index.ht.... As lookups can be isolated to an app, if the user doesn't know the real index name will not be able to search in it out of the app where the lookup is applied. You should also keep the indexes out of "indexes searched by default" in the rol/user config to avoid them appearing in the search statistics.

0 Karma

kml_uvce
Builder

Create roles AUser and Buser under Settings->Access controls -> Roles ,give search index IndexA for AUser and IndexB for BUser and assign permissions of app A to role AUser and app B to Buser.
Assign respective users to role AUser and BUser under Settings->Access controls -> Users

gfuente
Motivator

Hello

I think this can not be achieved. The restrictions to the data are applied at a role level. If you have access to a index, you can search that index data from any app

Regards

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...