Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Per-index permissions

Ricapar
Communicator
‎07-25-2013 08:26 AM

This isn't a question on how to set the permissions, but more on why they are the way they are.

Every object in Splunk (saved search, a view xml, an app, etc) has it's own permissions. I can go into the Manager view, find the object, click "Permissions", and check off who can do what with it.

This isn't the case with indexes however.

I'd like some correction if I'm wrong, but my understanding is that if you want to create an index that can only be readable by a certain role, I have to edit the bottom "Indexes" section on the Role's edit page.

This becomes particularly annoying, since if you want to have 10 all-access indexes, but only one that's restricted to a specific group, you have to edit all of the existing roles' index permissions, specifically list all of the existing indexes minus the one restricted one, and then edit the role for the restricted one and add that there.

Is there a technical reason why they were permissioned out this way, instead of how every other object is?

EDIT: I'd also like to add that this permission layout makes it very difficult to audit who has access to what indexes.

Reply

_d_
Splunk Employee
Splunk Employee
‎07-25-2013 09:04 AM

I suppose you can create two new roles - each with their own list of allowed indexes - and then configure your existing roles to inherit from them. Basically you're exploiting the inheritance feature for allowed indexes, as documented here: About Configuring role-based user access

Reply

Ricapar
Communicator
‎07-26-2013 04:41 AM

This is actually what I ended up doing - was just hoping there was a better/more straight-forward way 🙂

Thanks

0 Karma
Reply

linu1988
Champion
‎07-25-2013 08:42 AM

It's the basis of creating roles now in Splunk. I would also like to have an option where we can choose option which index is not accessible.

while index creation it would be hard to maintain which role it belongs to.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...