Give your users role-based access control of federated indexes
In Federated Search for Splunk, when you define a remote deployment as a standard mode federated provider, you also create federated indexes on the federated search head of your local deployment. See Map a federated index to a remote Splunk dataset.
On your local deployment, you must define additional role-based access control rules that identify the federated indexes to which your users have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.
After you create federated indexes, follow these steps.
- On the local deployment, in Splunk Web, select Settings, then Roles.
- Select the name of a role that you have associated to users who run federated searches.
- Select Indexes to display the contents of the Indexes tab.
- Locate the federated indexes you have defined. All federated index names in the Indexes list begin with federated:.
- Select Included for a federated index to let users with this role see search results from that index.
If you do not select Included for any federated indexes, users with this role cannot run federated searches over standard mode federated providers.Do not add any federated indexes to the Default index column for a role. Users who run standard mode federated searches must always reference federated indexes by name in those searches.
- To save all of the changes you have made and close the dialog box, select Save.
See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.
Map a federated index to a remote Splunk dataset | Run federated searches over remote Splunk platform deployments |
This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!