Good afternoon,
We are using Splunk 6.1x
We have 1 index "wls_app" and 300+ sourcetypes within that index. Nice, eh? Each sourcetype is really tied to an LDAP group (we at least named them the same). Two things I thought I had to do:
Create a new role: In the search head, under Settings, Access control, Roles - NEW, fill out the form. But...the bottom of the form only allows me to restrict by Index.
Map the role to an Index: Access Controls - authentication method - LDAP strategies - LDAP Groups, and select one of the 300, Splunk provides me a list of Indexes to choose from.
Since the GUI seems to be Index to Role to LDAP group, How can I map a role to a sourcetype?
Thanks,
Steve
The best way to restrict access is indeed per index, as you've discovered already.
Beyond that you can set a search filter for each role that forces additional terms onto each search run by a user in that role: http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/Addandeditroleswithauthorizeconf#Search_f...