Hello,
I have a theoritical question as I am currently working on index organisation to setup my future user access delegation.
Let's say I have:
- two servers SERVER1 and SERVER2
- I am collecting security event logs and performance counters on both servers
- security logs go into index security, and performance counters go into perfmon index
Now the theoritical use cases...
let's say I have 2 teams (among others use cases):
- team 1 needs to access security logs only for his server (SERVER1) but perfmon data for any server
- same for team 2 and SERVER2
Is the following going to work ?
- I create three roles: perfmon-all, security-server1, security-server2
- perfmon-all is granted access to index perfmon and both teams are granted this role
- security-server1 is granted access to index security + I use "Restrict search terms" to enforce "host=SERVER1"
- security-server2 is granted access to index security + I use "Restrict search terms" to enforce "host=SERVER2"
Else what are the options to cover this kind of use case ?
Note: multiplying the number of indexes to adjust with required granularity is not a practical option as I will have hundred of servers in production with mixed similar use cases.
Regards.
I answer myself after a real test. What I suggested below does not work. Job inspector helped me to confirmed that what I specify in "Restrict search terms" for each role are ultimately mixed together resulting in random result.
Still looking for an alternative solution to my delegation requirement...