- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Can i restrict splunk users to a particular index ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can i restrict splunk users to a particular index only?
I have a following scenario. I have five users say A , B , C, D & E and i have 5 indexes Index1, Index2, Index3, Index4 and Index5. Can I restrict the users in the following way:
User A -> All activities directed to Index1
User B -> All activities directed to Index2
User C -> All activities directed to Index3
User D -> All activities directed to Index4
User E -> All activities directed to Index5
If i create a role and assign index1, will all data be redirected to index1 and similarly for others.
Till now everything should work, but when i try to upload data, i can see all the indexes why?
Please provide your suggestions regarding the scenario.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can restrict the user to search for a particular index or sourcetype below is the example stanza in authorize.conf
[role_abc_user]
importRoles = user
srchFilter = NOT (sourcetype = a OR sourcetype = b OR sourcetype = c OR sourcetype = d)
srchIndexesAllowed = abcd
srchIndexesDefault = abcd
srchMaxTime = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By Activity, if you mean searching, then yes all User A searches will be redirected, or better terms restricted to Index1 only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
By Activity i mean both searching and uploading data. Searching is getting redirected to 1 Index only, say User A points to Index1 only.
But only thing is while uploading data Say User A uploads data , i cannot remove the " default index" , there i manually select Index1. So any means to hide the default index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know rerouting the data to a specific index just based on user is not possible. The data inputs/uploads are not user specific (you can't set sharing permissions on those), hence they would not have access to User attributes likes which index user has access to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An interesting related discussion at https://answers.splunk.com/answers/32940/restrict-index-access.html.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a role, you can assign access to one or more indexes. However, this has nothing to do with where log data FROM a particular user is stored.
The fact that you can see everything is perhaps that you are an administrator, and your role has full access?
/k
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
