Index Access and Advanced Search Filters (Beta)
When you create a role, you can restrict access to data in logs using advanced search filters, and you can also restrict access to the indexes you specify. This ensures that users only see the data they are supposed to.
Follow this process to restrict access using advanced filters and indexes:
- Identify the dataset you would like to control access to. Test it out using a search query.
- When you create a role, define the dataset to give access to using advanced search filters and index access.
- Verify the dataset access is correct using emulation.
- Assign the role to the relevant users.
Configure advanced search filter options
When you create a role, an advanced filter allows access only to the logs that match the search filter.
- Classic UI. In the main Sumo Logic menu select Administration > Users and Roles > Roles.
New UI. In the top menu select Administration, and then under Users and Roles select Roles. You can also click the Go To... menu at the top of the screen and select Roles. - Click + Add Role on the upper right side of the page. The Create New Role pane displays.
- Select one of the following to create a filter that allows access to only the logs that match the defined conditions. You can create only one filter for each.
- Log Analytics data filter. This filter applies to all the partitions and Live Tail.
- Audit data filter. This filter applies to all the logs in Audit Indexes and Live Tail. For example, you could include filters for
sumologic_audit_events
,sumologic_search_events
,sumologic_search_usage_per_query
, orsumologic_system_events
, to name a few. - Security data filter. This filter applies on all logs in Cloud SIEM security indexes.
- Enter search criteria in the box provided. For examples, see Understanding search filters.
Advanced filter examples
Following are examples for advanced filtering:
- Let’s say you want to deny access to all logs that contain
error
in log analytics, and containmalicious=high
in security logs. Select Log Analytics data filter and add!error
to the filter, and then select Security data filter and add!malicious=high
to the filter. - Let’s say you want to deny access to all error logs in log analytics, and deny access to all audit indexes. In this case, you will have to create two roles. For role 1, select Advanced filter > Log Analytics filter and add
!error
to the filter. For role 2, select Index Access > Deny few indexes and select all audit indexes.
Keep in mind that these are examples only, and you must adapt them for use in your environment. For more filter examples, see Construct a Search Filter for a Role.
Configure index access
An index filter allows or denies access to search indexes.
- Create a role.
- In the Create New Role pane, navigate to Index Access.
- Select one of the following:
- All indexes. Allow access to all indexes.
- Allow few indexes. Allow access to only the selected indexes.
- Deny few indexes. Deny access to the selected indexes.
- If you choose Allow few indexes or Deny few indexes, choose the indexes in the Select Indexes box that appear.
Index filter example
For example, let’s say you want to deny access to partition and security indexes. In our example environment, the accessLogs
and authenticationLogs
indexes give access to partitions, and the “sec_*” indexes give access to security information. To deny access to these indexes, click Deny few indexes and select those indexes.
Index Access behavior when a user has multiple roles
A role can have one of the following Index Access settings:
- All indexes. Allows access to all indexes.
- Allow few indexes. Allows access to only the selected indexes.
- Deny few indexes. Denies access to the selected indexes.
However, if a user is assigned multiple roles that each have different Index Access settings, following is how they are evaluated:
- All indexes + Allow few indexes. Indexes in the "Allow few indexes" list are allowed, and all other indexes are allowed.
- All indexes + Deny few indexes. Indexes in the deny list are denied, but all other indexes are allowed.
- Allow few indexes + Deny few indexes. Indexes in the "Allow few indexes" list are allowed, indexes in the deny list are denied, and all other indexes are denied.
- All indexes + Deny few indexes + Allow few indexes. Indexes in the "Allow few indexes" list are allowed, indexes in the deny list are denied, and the rest of the indexes are allowed.
Test search filters
- Classic UI. In the main Sumo Logic menu select Administration > Users and Roles > Roles.
New UI. In the top menu select Administration, and then under Users and Roles select Roles. You can also click the Go To... menu at the top of the screen and select Roles. - Select a role with search filtering defined.
- Click Emulate log search. The search will be emulated for the search filters defined in the role. (In the example below, an index search filter is defined.)
- Enter your search parameters in the log search emulation window. The search will return only what is allowed by search filters defined in the role.