Hello,
I have an index named "email" which stores all my emails' information (mailfrom, mailto, subject, country, ...). I would like to limit the access to this index for different teams across the world. If an email is sent to the country Germany, I want the Germany team to have access only to email logs with the field "country" to "Germany".
Is it possible?
Thank you 🙂
Don't do this. Speaking as an admin who has learned from experience, srchFilter
looks like something that solves your problem, but it actually causes more in the long run.
If you MUST have this level of access control, create an email_ index for each country you deal with (sucks that you have to know them all in advance) and use index-time transforms to route the events. Apply ACLs at the index level.
Pretend that srchFilter
doesn't exist. If you don't, one day you'll think to yourself, "that overly dramatic guy on Splunk Answers was right, I should not have used srchFilter."
Don't do this. Speaking as an admin who has learned from experience, srchFilter
looks like something that solves your problem, but it actually causes more in the long run.
If you MUST have this level of access control, create an email_ index for each country you deal with (sucks that you have to know them all in advance) and use index-time transforms to route the events. Apply ACLs at the index level.
Pretend that srchFilter
doesn't exist. If you don't, one day you'll think to yourself, "that overly dramatic guy on Splunk Answers was right, I should not have used srchFilter."
Ok... But what could go wrong?
up please 🙂
Maybe the easiest way would be to use Search Filters within your role.
Take a look at this:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/Addandeditroles#Search_filter_format
For instance, when searching index email append "search Country = Germany" to the members of the German team, and so on.
The alternative is to use summary indexing and apply a different level of permissions there. In principle index level is the way you permission things in Splunk.
Will only be secure for indexed fields. A user can always overwrite searchtime knowledge objects to circumvent the search filter.
So this filter is basically useless?
Maybe I could prevent the user to overwrite this object?
You can't prevent users from creating private objects.
The filter may be useful when you want to filter on one of the indexes fields such as host, sourcetype or source.