Security

Access permissions in cisco firewall app

jaygirlardo
New Member

Hey Splunkers,

I got a question hopefully someone can answer. In my setup I have the cisco security suite and cisco firewalls app installed, as well as the windows app. I am having problems with cisco firewall data showing up in a users overview. The user only has permissions to it's site's index that contains that sites domain controller. The user has inherited roles from the default user but in that role I have deleted having access to main and internal indexes. So the default user has access to no indexes. Then when I created the sites user I gave him access to only the one index. So why is firewall info from other indexes showing up in his firewall app overview?

Any help is appreciated, Thanks!

Tags (1)
0 Karma

DaveSavage
Builder

In Manager??Access controls >> Users...does your user (listed there) have 2 roles in the near right column...e.g. 1 you created / crafted specially AND a default one?
If so, click on them and remove the default grey selected role....

0 Karma

jaygirlardo
New Member

Yup, they only have the one role I assigned them. About index independent, what is?

0 Karma

DaveSavage
Builder

...and if it's not that (an over-sight I've made in the past ;-)...then you may need the orig author's 2-penneth.
I did clock in the release notes that (for say ASAs which we use) the update as at Sept 10th indicates 'is now index independent')....hmm.

0 Karma

jaygirlardo
New Member

Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any others. But somehow firewall info is viewable from their login.

0 Karma

DaveSavage
Builder

Jaygirlardo,
These plug-ins use the index=firewall...and I guess that is the one you gave them access to?
If a user ran a standard search...and hypothetically a firewall pushed its logs to, say, a syslog server...which has a forwarder on it...then the results may go elsewhere e.g. 'main' which is the default?
How, or at what level did you think you implemented the permission(s)?
User level within Splunk are fairly generic (from Manager tab...but you prob already know that).
Have you implemented any specific transforms?
Br
Dave

0 Karma

jaygirlardo
New Member

Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any other window machines. But somehow firewall info is viewable from their login. for some reason I dont think it has to do with permissions. Maybe something the cisco firewall app does by default? I think I have a good idea how the roles and users work, but I could be wrong.

0 Karma

DaveSavage
Builder

Indexes searched by default has to be 'clear all'd...I take it you did that?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...