Limit access to specific events in one index

ips_mandar · ‎11-26-2018

Hi,
I have one role which has Restrict search terms as index=abc $table="azuredignostics"
then how this user having this role can access $table="Perf" data. How he can get access to all data from calculated fields
but I am not able to achieve what eval function need to be created.
As I am using OMS add-on so it has 1 source, 1 host and 1 sourcetype so in calculated fields * won't help.

woodcock · ‎11-26-2018

Do not use this feature; it is easy to bypass so paper-thin as to be useless. The only true access-control is denying access to particular index values.

ips_mandar · ‎11-26-2018

yes I can understand that there will be security issue I just wanted to understand How to bypass take access to all data using calculated fields ...as I was trying to create calculated fields to bypass access but unable to do so as I have only 1 host, source and sourcetype.

woodcock · ‎11-28-2018

If the restriction requires a field, then create a calculated field that defines it; if it requires the field not to exist, create a calculated field that sets it to null(). Boom! Bypassed.

Limit access to specific events in one index

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...