I have a role assigned to an AD group that limits their access to specific events in a windows event log index.
The restriction on the role reads "EventCode=4740 OR EventCode=4625 OR " etc...
This same group wants access to another index. However the restriction on the role above prevents them from reading events from the other index because none of those events exist in the other index.
How to resolve this issue?
Hi MikeBertelsen,
access right are managed at Index level so it isn't possible to limit access to only a part on an index.
Probably the best solution is to send special events (EventCode=4740 OR EventCode=4625 OR ...) in a different index (e.g. special_win) and grant access to both the roles to this index, limiting access to the main_windows index to one role.
To do this see http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
On your indexer or heavy forwarder:
# etc/system/local/transforms.conf
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = EventCode\=4740|EventCode\=4625
FORMAT = my_new_index
#etc/system/local/props.conf
[mysourcetype]
TRANSFORMS-index = overrideindex
It could be possible (but it's very hard!) to manage different accesses in dashboards, but it's slow and using search dashboard filters don't run!
Bye.
Giuseppe
It is not impossible to restrict access to just part of an index. Because the restriction on the role does exactly that. That solution works great if a group is to only have access to part of an index. It does however defeat adding access to an additional index because the restriction overrides the access to the added index.
I agree that the props/transforms approach is likely the best solution.
Hoping that there is another option.