Solved: Locking down app and role to search only one index...

avalle · ‎02-01-2016

Hello all,

I have looked at documentation and a few of the questions on here and have tried it all.
I have created an app (let's call it ppl app), assigned a role (let's call it ppl role) to it, and that role is locked down to one index (lets call it the ppl index).
I have given the app access to the ppl role.
I have restricted that role to search index=ppl only.

Gave it the following capabilities:
accelerate_search
change_own_password
get_typeahead
pattern_detect
search

Why are the users assigned to this role able to search the main index?
Am I missing a step somewhere?

avalle · ‎02-01-2016

I think I found the answer...........there is a delay in LDAP synch. I just had to wait it out and it worked.

View solution in original post

somesoni2 · ‎02-01-2016

1) Check if the ppl role is inheriting any other role (say user role)?
2) There are two index related settings available while creating a role, "Indexes searched by default" and "Indexes", make sure that only your ppl index is selected in both the settings for ppl role.

avalle · ‎02-01-2016

I think I found the answer...........there is a delay in LDAP synch. I just had to wait it out and it worked.

gtriSplunk · ‎02-01-2016

Are the users members of any other role? If a user is a member of multiple roles they will be able to search indexes that are a member of any of the roles.

avalle · ‎02-02-2016

Yes I am sure! we had an LDAP delay.

Locking down app and role to search only one index, why are users that are assigned this role able to search the main index?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?