Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Access permissions in cisco firewall app

jaygirlardo
New Member
‎11-02-2012 07:43 AM

Hey Splunkers,

I got a question hopefully someone can answer. In my setup I have the cisco security suite and cisco firewalls app installed, as well as the windows app. I am having problems with cisco firewall data showing up in a users overview. The user only has permissions to it's site's index that contains that sites domain controller. The user has inherited roles from the default user but in that role I have deleted having access to main and internal indexes. So the default user has access to no indexes. Then when I created the sites user I gave him access to only the one index. So why is firewall info from other indexes showing up in his firewall app overview?

Any help is appreciated, Thanks!

Tags (1)
0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:39 AM

In Manager??Access controls >> Users...does your user (listed there) have 2 roles in the near right column...e.g. 1 you created / crafted specially AND a default one?
If so, click on them and remove the default grey selected role....

0 Karma
Reply

jaygirlardo
New Member
‎11-02-2012 09:03 AM

Yup, they only have the one role I assigned them. About index independent, what is?

0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:53 AM

...and if it's not that (an over-sight I've made in the past ;-)...then you may need the orig author's 2-penneth.
I did clock in the release notes that (for say ASAs which we use) the update as at Sept 10th indicates 'is now index independent')....hmm.

0 Karma
Reply

jaygirlardo
New Member
‎11-02-2012 08:32 AM

Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any others. But somehow firewall info is viewable from their login.

0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:18 AM

Jaygirlardo,
These plug-ins use the index=firewall...and I guess that is the one you gave them access to?
If a user ran a standard search...and hypothetically a firewall pushed its logs to, say, a syslog server...which has a forwarder on it...then the results may go elsewhere e.g. 'main' which is the default?
How, or at what level did you think you implemented the permission(s)?
User level within Splunk are fairly generic (from Manager tab...but you prob already know that).
Have you implemented any specific transforms?
Br
Dave

0 Karma
Reply

jaygirlardo
New Member
‎11-02-2012 08:34 AM

Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any other window machines. But somehow firewall info is viewable from their login. for some reason I dont think it has to do with permissions. Maybe something the cisco firewall app does by default? I think I have a good idea how the roles and users work, but I could be wrong.

0 Karma
Reply

DaveSavage
Builder
‎11-02-2012 08:28 AM

Indexes searched by default has to be 'clear all'd...I take it you did that?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...