Index Level Restrictions For The Users In Splunk
We hope you people are doing really well and enjoying Splunk with us.
Today we are going to discuss another mind blowing topic of Splunk that is Index level restrictions for Users. Before reading this blog we will recommend you to go through the below links so that you will get more clear idea about this blog : –
In Splunk one can specify roles to selected users which will determine the level of access and the tasks that they can perform. Splunk has its own set of default roles, and one can also create own required roles according to the requirements. Each and every role contains one or more capabilities that gives you access to various parts of the Splunk tool.
So we can start with creating a new “Roles” first
First Click on Settings from the top bar and then click on Roles . Next click on New Role to create your required role.
Then do it as shown in below figure and check those boxes only, where you want to give them access.
Name = <name of the role>
Go to the Capabilities tab and select “search” option as a capability name.
Then go to the Indexes tab. And include the indexes that you want to give access to that user group.
Click on Create.
After that you can see a new role has been created.
Then go to Settings and after that click on Users option and create a user to whom you want to assign with newly created role called “index_access” . Click on Edit in the Assign role section select name of the role which you have just created and save it.
In the Edit user tab,
Full name = <name of the user> Email address = <email of the user> Set password = <password for the user> Confirm password = <confirm the password> Fill the all mandatory field, and from Assign roles click on “index_access” and save it.
Now log in from user “shantanu”, which was just created and go to the search and reporting app.
And in search bow just write “index=_internal” you will be able see the data.
Now, if we try to access the indexes other than selected indexes what will happen?
So let’s see what will happen if you try to access other than index’s data “_internal” and “_audit”,
Now try to access “_introspection” index as you can see that “_introspection” which is not included in the list in the above figure. So if we search that then it will not return any result, because for that particular user group, don’t have access to that index.
That’s all about “Index level restrictions for the Users In Splunk”
Happy Splunking !!