Give your users role-based access control of federated indexes
After you create an Amazon S3 federated index, you must give your federated search users role-based access control of the index. If you do not do this, your users cannot search the remote AWS Glue Data Catalog table dataset that the federated index maps to.
As with normal Splunk platform indexes, you grant access to federated indexes at the role level. With role-level federated index grants, you can grant federated index access to certain groups of users while disallowing access to other user groups.
On your local deployment, you must define additional role-based access control rules that identify the federated indexes to which your users have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.
Prerequisites
- You must have the sc_admin role.
- You must have an Amazon S3 federated index.
Steps
After you create an Amazon S3 federated index, follow these steps to give your federated search users access to the index.
- On your Splunk Cloud Platform deployment, in Splunk Web, select Settings and then select Roles.
- Select the name of a role that you have given to users who run federated searches.
- Select Indexes to display the contents of the Indexes tab.
- Locate the federated indexes you have defined. All federated index names in the Indexes list begin with federated:.
- Select Included for a federated index to allow users with this role to see search results from that index.
If Included is not selected for any Amazon S3 federated indexes, users with this role cannot run federated searches over Amazon S3 data.
- To save all of the changes you have made and close the dialog box, select Save.
See Create and manage roles with Splunk Web in the Securing the Splunk Cloud Platform manual.
Map a federated index to an AWS Glue Data Catalog table dataset | sdselect command overview |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!