Configure role-based access and search targeting for transparent mode federated providers

Granular search targeting controls using role-based access control (RBAC) can be used to manage provider access and define default search routing.

Federated search in transparent mode provides granular search targeting controls that can be used to manage provider access and define default search routing. This architecture ensures that user searches are efficient, secure, and optimized for system resources; searches are only sent to the necessary environments, which helps manage system resources, reduce system overhead and unnecessary broadcast traffic across all providers, and improve overall search performance. As a result, your search operations are tailored to your specific organizational needs.

  • The Included setting governs which transparent mode federated providers a role can access using RBAC. Administrators can define which user roles are permitted to access specific providers and assign those providers to designated roles. Users are restricted to searching only the providers that are available through their effective role permissions and can't interact with providers unless they have been granted explicit authorization via the Included setting.

  • The Default setting determines which providers a role can search if the user's search does not explicitly target a provider. Administrators can define which providers their users' searches target. Users can also temporarily override their role's default provider in ad hoc and saved searches. This provides the flexibility to perform fine-grained provider targeting on a per-search basis and lets users search data on a provider they might not have access to by default. Alternatively, users can explicitly target specific providers in supported index-based searches by using the splunk_federated_provider predicate, which is still subject to RBAC.

  • Users can also temporarily override their role’s default provider in ad hoc and saved searches, or explicitly target specific providers in supported index-based searches by using the splunk_federated_provider predicate, which is still subject to RBAC. These mechanisms give users the flexibility to perform fine-grained provider targeting on a per-search basis and let users search data on a provider they might not have access to by default.

Use Included with role-based access control (RBAC) to restrict access to Splunk transparent mode federated providers

After you add new Splunk platform transparent mode federated providers, configure which providers each role in your organization is allowed to search. You manage provider access from the Roles page in Settings by using Included on the Providers tab.

See Use Default with role-based access control (RBAC) to target transparent mode federated providers for information about using Default to control which remote and local providers a role searches by default.

Steps

Edit roles for your Splunk platform instance on the Roles page in Settings. Use the Providers tab to change access to transparent mode federated providers for existing roles.

  1. Click Settings and then Roles.
  2. Click an existing role to edit it.
  3. Select Providers to display the contents of the Providers tab.
  4. Using the following table, specify the transparent mode federated providers the role is allowed to access by selecting Included for providers in the list of available providers. If Included is not selected for a provider and the provider is not included through an inherited role, users cannot search data on that provider.
    Note: The local provider represents the deployment where the federated search head runs. By default, the local provider is set to both Included and Default on the Providers tab to support standard index-based searches. If local is not selected as both the included and default transparent mode provider, the local provider is excluded from searches. Changing these default settings could cause searches to return incomplete results. See Include or exclude the local provider in searches .
    Note: The local federated provider can only be excluded from searches that include index-based commands. For all other generating commands, searches target the local provider by default.
    Setting Description Default value
    Wildcards Use wildcards ( * ) to match multiple federated providers that are applied to this role. Instead of selecting individual providers, you can create a wildcard provider to dynamically capture all providers that match the wildcard. After you add a wildcard provider, it appears in the Provider Name list.
    Note: The local provider can be used in a wildcard, for example, lo*includes local in the Provider Name list.
    		No default
    Included

    The transparent mode federated providers that this role is allowed to search. Select Included for each provider that the role is permitted to access to ensure that users can search only the selected providers and any providers inherited from other roles. These included providers are given the highest priority for search operations.

    To maintain backward compatibility, by default, Included is selected for all default transparent mode federated providers for that role, which ensures that Splunk platform routes searches from users assigned to that role to those default providers.

    If no included providers are defined for any of a user's various roles, the Splunk platform does not send that user's searches to any providers.

    If you remove a provider from the Included list, then that provider is excluded from searches that users with that role run.

    		 No default.
  5. After you finish making the configuration changes that you want, click Save to save the role.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

Use Default with role-based access control (RBAC) to target transparent mode federated providers

You can control which local or remote federated providers a role searches by default by selecting Default for providers in the list of available providers on the Providers tab.

See Use Included with role-based access control (RBAC) to restrict access to Splunk transparent mode federated providers for information about using Included to control which providers a role has permission to search.

Steps

Edit roles for your Splunk platform instance on the Roles page in Settings. Use the Providers tab to change search targeting across transparent mode federated providers for existing roles.

  1. Click Settings and then Roles.
  2. Click an existing role to edit it.
  3. Select Providers to display the contents of the Providers tab.
  4. Using the following table, specify the transparent mode federated providers that searches by this role target by default by selecting Default for providers in the list of available providers.
    Note: The local provider represents the deployment where the federated search head runs. By default, the local provider is set to both Included and Default on the Providers tab to support standard index-based searches. If local is not selected as both the included and default transparent mode provider, the local provider is excluded from searches. Changing these default settings could cause searches to return incomplete results. See Include or exclude the local provider in searches.
    Note: The local federated provider can only be excluded from searches that include index-based commands. For all other generating commands, searches target the local provider by default.
    Setting Description Default value
    Wildcards Use wildcards ( * ) to match multiple federated providers that are applied to this role. Instead of selecting individual providers, you can create a wildcard provider to dynamically capture all providers that match the wildcard. After you add a wildcard provider, it appears in the Provider Name list.
    Note: The local provider can be used in a wildcard, for example, lo*includes local in the Provider Name list.
    		No default
    Default

    The transparent mode federated providers that a search by this role runs over by default. The default provider list is useful for limiting searches to a subset of providers without requiring users to change the SPL in their searches.

    All federated providers selected as default providers for a role must also be selected as included providers for that same role. To maintain backward compatibility, by default, Default is selected for all default transparent mode providers for that role, which ensures that all searches are sent to all available transparent mode federated providers.

    If no default providers are defined for any of a user's various roles, and the user submits a search that does not specify a transparent mode federated provider, the Splunk platform does not send that user's searches to any providers.

    If you remove a provider from this default list, then that provider is excluded from searches that users with that role run. However, if Included is selected for the provider, a user with that role can still explicitly specify in their searches that transparent mode federated provider for relevant indexes.

    		 No default.
  5. After you finish making the configuration changes that you want, click Save to save the role.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

Include or exclude a remote provider in searches

Administrators can use the Providers tab for a role to control whether searches target a remote federated provider by default. The following table describes how user searches can target a remote provider depending on whether Included and Default are selected for that provider.

Included Default Description
Selected Selected The user can search all indexes on the remote provider.
Selected Not selected

Searches do not include the remote provider by default.

Users can use the splunk_federated_provider=<remote_provider> predicate to explicitly route supported index-based searches to the remote provider. See Target search routing using the splunk_federated_provider predicate.
Not selected Not selected

Users cannot search data on the remote provider.

The splunk_federated_provider=<remote_provider> predicate has no effect for that provider. See Target search routing using the splunk_federated_provider predicate.

Include or exclude the local provider in searches

The local provider in the Providers list represents the deployment where the federated search head runs. Administrators can use the Providers tab for a role to control whether supported searches target the local provider.

Note: Since the local value is a reserved value, don't create new providers named local.

Only searches that contain index-based commands support excluding the local provider. For searches that do not contain index-based commands, searches target the local provider by default. For most deployments, keep Default selected for the local provider.

The following table describes how user searches can target the local provider depending on whether Included and Default are selected for local in the Providers list. See Include or exclude a remote provider in searches.

Included Default Description
Selected Selected The user can search all indexes on the local provider.
Selected Not selected

For searches that contain index-based commands:
Not selected Not selected

For searches that contain index-based commands:

For searches that do not contain index-based commands:

  • Searches are routed to the local provider by default. The local provider is always included in these searches.