Security

Limit access to specific events in one index

ips_mandar
Builder

Hi,
I have one role which has Restrict search terms as index=abc $table="azuredignostics"
then how this user having this role can access $table="Perf" data. How he can get access to all data from calculated fields
but I am not able to achieve what eval function need to be created.
As I am using OMS add-on so it has 1 source, 1 host and 1 sourcetype so in calculated fields * won't help.

0 Karma

woodcock
Esteemed Legend

Do not use this feature; it is easy to bypass so paper-thin as to be useless. The only true access-control is denying access to particular index values.

0 Karma

ips_mandar
Builder

yes I can understand that there will be security issue I just wanted to understand How to bypass take access to all data using calculated fields ...as I was trying to create calculated fields to bypass access but unable to do so as I have only 1 host, source and sourcetype.

0 Karma

woodcock
Esteemed Legend

If the restriction requires a field, then create a calculated field that defines it; if it requires the field not to exist, create a calculated field that sets it to null(). Boom! Bypassed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...