Splunk Enterprise Security Certified Analyst — Question 24
A customer has implemented their own Role Based Access Control (RBAC) model to attempt to give the Security team different data access than the Operations team by creating two new Splunk roles "" security and operations. In the srchIndexesAllowed setting of authorize.conf, they specified the network index under the security role and the operations index under the operations role. The new roles are set up to inherit the default user role.
If a new user is created and assigned to the operations role only, which indexes will the user have access to search?
Answer options
- A. operations, network, _internal, _audit
- B. operations
- C. No Indexes
- D. operations, network
Correct answer: D
Explanation
The correct answer is D because the user assigned to the operations role will have access to the operations index as specified in the role's configuration, and since the default user role typically allows access to the default indexes, the user will also have access to the network index. Options A, B, and C are incorrect because they either overstate or understate the user's access rights based on the defined roles.