Splunk Cloud Platform

Federated Search

Give your users role-based access control of federated indexes

After you create an Amazon S3 federated index, you must give your federated search users role-based access control of the index. If you do not do this, your users cannot search the remote AWS Glue Data Catalog table dataset that the federated index maps to.

As with normal Splunk platform indexes, you grant access to federated indexes at the role level. With role-level federated index grants, you can grant federated index access to certain groups of users while disallowing access to other user groups.

On your local deployment, you must define additional role-based access control rules that identify the federated indexes to which your users have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.

Prerequisites

  • You must have the sc_admin role.
  • You must have an Amazon S3 federated index.

Steps

After you create an Amazon S3 federated index, follow these steps to give your federated search users access to the index.

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings and then select Roles.
  2. Select the name of a role that you have given to users who run federated searches.
  3. Select Indexes to display the contents of the Indexes tab.
  4. Locate the federated indexes you have defined. All federated index names in the Indexes list begin with federated:.
  5. Select Included for a federated index to allow users with this role to see search results from that index.

    If Included is not selected for any Amazon S3 federated indexes, users with this role cannot run federated searches over Amazon S3 data.

  6. To save all of the changes you have made and close the dialog box, select Save.

See Create and manage roles with Splunk Web in the Securing the Splunk Cloud Platform manual.

Last modified on 15 October, 2024
Map a federated index to an AWS Glue Data Catalog table dataset   sdselect command overview

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters