Re: How do I use authorise.conf centrally to manag...

pbrinkman · ‎06-28-2023

we have a 6 node SHC

Want to use the deployer to push out authorise.conf so that we can manage the user/role/index access centrally.

Looking for an example of how you control which index is seen by which user/role

For example the role would look like
[mail team]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = mailgatewaylogs;maillogs;emailscanlogs
srchMaxTime = 8640000

How do i specify users to have that have the mail team role ?

user1:mail team
user2:mail team
user3:mail team

Not been able to find any reference or example as to how best to set this configuration centrally.

Thanks in advance

pbrinkman · ‎07-03-2023

glad I asked the question @isoutamo , always wondered what the options were. Have gone down the create an AD account and then go from there, add the capabilities and what index these users can see.
It was also more around having people in different roles. Thanks for info

isoutamo · ‎06-29-2023

Hi

this was an interesting question. I have never used local users on SHC even its possible.

The best practice is use external user directories to manage users and roles assignments for them. Then you have those role maps on auth*.conf files. Those are easy to push by deployer.

If you want to use local (splunk internal users) on SHC then 1st create roles (I think that those cannot contain space on name?). Push those from deployer as usual. Then use GUI to create users and assign roles to them.
r. Ismo

How do I use authorise.conf centrally to manage user role access to indexes?

other

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability