Splunk Cloud Platform

Federated Search

Give your users role-based access control of data lake indexes and federated indexes

After you create data lake indexes and federated indexes for your Amazon Security Lake federated provider, you must give your Federated Analytics users role-based access control of those indexes. If you do not do this, your users cannot search datalake indexes or the remote AWS Glue Data Catalog table datasets that the federated indexes map to.

As with normal Splunk platform indexes, you grant access to federated indexes at the role level. With role-level federated index grants, you can grant federated index access to certain groups of users while disallowing access to other user groups.

On your local deployment, you must define additional role-based access control rules that identify the federated indexes to which your users have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.

Prerequisites

  • You must have the sc_admin role.
  • You must have created an Amazon Security Lake federated provider, and in the process created data lake indexes and federated indexes for that federated provider.

Steps

After you create your Amazon Security Lake federated provider, follow these steps to give your Federated Analytics users access to the data lake indexes and federated indexes that are associated with that federated provider.

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings and then select Roles.
  2. Select the name of a role that you have given to users who run Federated Analytics searches.
  3. Select Indexes to display the contents of the Indexes tab.
  4. Locate the data lake indexes and federated indexes you have defined for your Amazon Security Lake federated provider.
    If you retain the data lake index names provided by Federated Analytics, your data lake index names begin with dl_.
    All federated index names in the Indexes list begin with federated:.
  5. Select Included for a data lake or federated index to allow users with this role to see search results from that index.

    If the role has * (All non-internal indexes) selected for Included, all data lake indexes are added to the set of Included indexes. If you want to select which data lake indexes the role has access to, you can deselect * (All non-internal indexes) but be aware that doing this may remove access to other essential non-internal indexes. You can restore access to those indexes by selecting Included for them as well.

    If Included is not selected for any data lake or federated indexes, users with this role cannot run searches over local or remote Amazon Security Lake data.

  6. To save the changes you have made and close the dialog box, select Save.

See Create and manage roles with Splunk Web in the Securing the Splunk Cloud Platform manual.

Last modified on 14 October, 2024
Map federated indexes to AWS Glue tables   Run Federated Analytics searches

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters