If you are using deny (NOT) in your srchFilter be aware that inheritance of multiple roles with negative filters will negate each other.
For example:
role1: srchFilter = NOT abc
role2: srchFilter = NOT xyz
inherited/combined: srchFilter = (NOT abc) OR (NOT xyz)
outcome = access to all.
Anyone have a workaround for this?
This sounds like a case for srchFilterSelecting = false
: http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/authorizeconf
Then you'd get a combined filter of (NOT abc) AND (NOT xyz)
This sounds like a case for srchFilterSelecting = false
: http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/authorizeconf
Then you'd get a combined filter of (NOT abc) AND (NOT xyz)