Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Limit access to index by Role without breaking other roles

cboillot
Contributor
‎12-06-2021 08:30 AM

I have user A that is getting 3 different roles. Normally this isn't an issue, but one of those roles has a restricted search in it that will only show 4 servers in the main index.

2 of the 3 roles just grants access to specific indexes.

The 3rd role grants access to the main index and has the following restriction:

(host::serverA OR host::serverB OR host::serverC OR host::serverD) 

The issue that I am having is that restriction is carrying over to the other roles. 

How would I set this up that only those 4 servers are looked for in main without having those restrictions carry over to the other roles.

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 08:52 AM

The search restriction is not carrying over into other roles. The user is a member of a role with a search restriction so It is being applied to that role.  The user's membership in other roles does not negate the restriction.

A solution would be to create a new role for the user that has the permissions he needs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 09:06 AM

That's what I thought at first, but when we have the role with restrictions applied, the user is not seeing data in index A or B, just the 4 servers in main. But if we remove that role, they are able to see the data in index A and B

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 11:17 AM

That makes perfect sense if indexes A and B do not contain data from host IN (serverA serverB serverC serverD).  Once the restriction is removed then the user can see what's in A or B regardless of the host name.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎12-06-2021 11:51 AM

Right, how do I let the user search all of Index A & B, and only host 1-4 in main?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 05:14 PM

I'm not sure you can.  The search restrictions will always get in the way of indexes A and B.

If hosts 1-4 require different security then they should be in a different index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...