Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How come after allowed Indexes are restricted in authorize.conf, affected users are still able to search anywhere?

pkarpushin
Path Finder
‎10-09-2018 02:11 AM

On my SearchHead (ver 7.1.3) , I have created a user role via manually editing the authorize.conf file, which restricts the allowed indexes for this role, and then I rebooted the Splunk service.

I am not able to create a user role and choose Allowed Indexes for this role via SearchHead gui because of SPL-145546.
Below is authorize.conf:

[role_restricted_user]
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
accelerate_search = enabled
pattern_detect = enabled
list_metrics_catalog = enabled
export_results_is_visible = enabled
run_collect = enabled
run_mcollect = enabled
[role_test_network_2]
importRoles = restricted_user
srchIndexesAllowed = test_network
srchIndexesDefaule = test_network

Index "test_network" is configured on the Indexer and has indexed events in it.
However user with role test_network_2 yet still gets search results from on there indexes.

The same picture persists when I create a user role and user with this role on the Indexer.

Am I missing something? Please advise.

Tags (1)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-09-2018 08:49 AM

Hi @pkarpushin,

You are facing this issue because you are inheriting user role. By default user role has srchIndexesAllowed = * so that's why user with role test_network_2 are able to access other indexes.

0 Karma
Reply

pkarpushin
Path Finder
‎10-09-2018 01:50 PM

Hi @harsmarvania57
Thank you for your answer.
Just after I have posted this question I found out that Allowed Indexes are inherited with the roles.
So I created new role restricted_user with the same as default user except srchIndexesAllowed param (above in updated question).
Unfortunately the issue persists.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...