Examples

Examples showing how to use role-based access control (RBAC) and search targeting for transparent mode federated providers.

1. Search across all available providers

Say you want users with a role to search across all available transparent mode federated providers for backward compatibility. In the Providers list, select the Included and Default check boxes for All providers. When the same providers are selected as Included and Default as shown in the following screenshot, users with the role can search all available transparent mode federated providers by default.

A screenshot of the Edit Role admin page on the Providers tab. Under the Providers section, there are three columns. The left column is titled All providers. The middle column is titled Included. The right column is titled Default. The first item in the list of providers, *(All providers), has checkmarks for Included and Default.

When the user runs the following search, the results can include data from local, provider-site2, and provider-site3:

PYTHON 
| tstats count from datamodel=internal_server by host

2. Role inheritance

Provider access follows role inheritance. For example, say the admin role inherits from the power and user roles.

  • For the admin role, the local provider is selected as Included and Default.

  • For the power role, provider-site2 is selected as Included and Default.

  • For the user role, the provider-site3 provider is selected as Included and Default.

When the user runs the following search, the user's effective provider access is the union of the providers selected for each inherited role:

PYTHON 
| tstats count from datamodel=internal_server by host

The user's searches return results from the local provider, provider-site2, and provider-site3.

If you want the user to access only one remote transparent provider, provider-site2, set up provider access on each role like this:

  • For the admin role, select local and provider-site2 as Included and Default.

  • For the power role and the user role, do not select any providers as Included and Default.

When the user runs searches, the results include data from only the local provider and provider-site2. The results do not include data from provider-site3.

3. Block results from providers that a user cannot access

Suppose you set up provider access on each inherited role like this:

  • For the admin role, select local and provider-site2 as Included and Default.

  • For the power role and the user role, no providers are selected as Included or Default.

Then, a user runs the following search with splunk_federated_provider predicates:

CODE 
| tstats count WHERE (index=_internal splunk_federated_provider=provider-site2 OR splunk_federated_provider= provider-site3) by host

Although the search targets two providers with the splunk_federated_provider predicate, the search returns results only from provider-site2. RBAC prevents results from provider-site3 because provider-site3 is not included in the user's effective provider access list.

4. Target indexes to specific providers

With index-based commands, each index clause can target specific providers. For example, say you set up provider access on each inherited role like this:

  • For the admin role, select All providers as Included and Default. The provider-site2 and provider-site3 providers are also automatically added to the Included and Default lists.

  • For the power role and the user role, no providers are selected as Included and Default.

Then, a user runs the following search:

CODE 
Index=_introspection OR (index=_internal splunk_federated_provider=provider-site2) OR (index=_audit splunk_federated_provider= provider-site3) | stats count by index host

The search targets different indexes to different providers that the user can access:

  • The Index=_introspection clause displays search results from the _introspection index on all default providers.

  • The (index=_internal splunk_federated_provider=provider-site2) clause displays results from the _internal index on provider-site2.

  • The (index=_audit splunk_federated_provider= provider-site3) clause displays results from the _audit index on provider-site3.

5. Restrict search results to the local provider

Building on the previous examples, suppose you set up provider access on each inherited role like this:

  • For the admin role, select All providers as Included and Default. The provider-site2 and provider-site3 providers are also automatically added to the Included and Default lists.

  • For the power role and the user role, no providers are selected as Included and Default.

Then, a user runs the following search with the splunk_federated_provider predicate set to local:

CODE 
Index=_audit splunk_federated_provider= local | stats count by host

Because splunk_federated_provider is set to local, the search returns results only from the local provider, even though the user has access to remote providers.

6. Exclude the local provider from index-based searches

Building on the last example, suppose you set up provider access on each inherited role like this:

  • For the admin role:
    • All providers: Only Included is selected
    • Local: Only Included is selected
    • provider-site2: Only Included is selected
    • provider-site3: Included and Default are selected
  • For the power role and the user role, no providers are selected as Included or Default.

Now the user runs the following index-based search:

CODE 
Index=_audit | stats count by host

The search results display only hosts from provider-site3. This is because provider-site3 is the only provider selected as Default on the admin role. Even though local is selected as Included on the admin role, local is not included in the results because it is not also selected as Default.

7. The local provider cannot be excluded from non-index-based searches

If a search is not index-based, the local provider is included even when Default is not selected for local. For example, say you set up provider access on each inherited role like the previous example:

  • For the admin role:

    • All providers: Only Included is selected
    • Local: Only Included is selected
    • provider-site2: Only Included is selected
    • provider-site3: Included and Default are selected

  • For the power role and the user role, no providers are selected as Included or Default.

Now the user runs the following search:

CODE 
| tstats count FROM datamodel=internal_server by host

The search results include hosts from the local provider and provider-site3, even though local is not selected as Default. The local provider is included because this tstats search uses FROM datamodel, so Splunk does not treat it as an index-based search that can exclude the local provider.