Solved: Re: Is it safer to create separate indexes than to...

Clovisa · ‎04-05-2018

Hi, I am wondering which one is the safest option to restrict access to my data and why.

Let's say that I sell shoes for resellers and for direct customers. I would like that customers could not see the shoes destined to the resellers.

Is it better to :

Forward all the shoes in a global "shoes" index and, when I configure the "customer" role, add a search restriction (like "Recipient=customer") or
Forward the customer part in a dedicated index and same for the reseller part, and then give access only to the corresponding index to the customer

Thank you !

robgora_deloitt · ‎04-05-2018

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

View solution in original post

robgora_deloitt · ‎04-05-2018

I would always do permissions off of Indexes rather than search restriction. This way, you can get granular in what type of data is allowed. Then if the user doesn't have access to the index it just won't show in the Search query.

p_gurav · ‎04-05-2018

I think its better to create separate indexes instead of search restrictions.

Clovisa · ‎04-05-2018

Is it an intuition or do you have some reasons in mind ?

p_gurav · ‎04-05-2018

What if in future you have to create or correlate data for creating business reports or dashboard, then again you have to change the search restrictions.

Is it safer to create separate indexes than to add search restrictions ?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases