I would like to achieve full tenant isolation in Splunk. What is possible already is to split the indexed data and restrict access of a tenant to his index. However, I struggle to restrict access to reports, dashboards and other user created content (I think, those are called knowledge objects) to the given tenant.
For example:
Say, a user creates a dashboard. Then he can choose to share it within the entire app or to keep it private. If he shares it within the app, then all tenants' users will see the dashboard, even though it will show no data since the index is not accessible by other tenants.
I know that there is a possibility to have every tenant use its own app. Then, what is shared within the app is only accessible by the users of this app. But then, it would be necessary to create several instances of an app; say, if all tenants are to use the search app, there will be search_tenant1, search_tenant2, etc. Whenever a new tenant is added, it would be necessary to make another copy of the app folder and modify its configuration.
This sounds a bit cumbersome, I wonder if there is an easier way to achieve full tenant isolation?
... View more