https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/429961#M10121 <P>I have an index with kubernetes logs.<BR />Each log line has a field called namespace with following values</P> <UL> <LI>prod</LI> <LI>dev</LI> <LI>qa</LI> <LI>test</LI> </UL> <P>I want to limit some users, that the can not access lines with value "prod" but each other lines.<BR />How can we do that?</P> <P>thanks<BR />Jörg</P> Wed, 18 Jan 2023 17:09:50 GMT joerglang 2023-01-18T17:09:50Z https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/429961#M10121 <P>I have an index with kubernetes logs.<BR />Each log line has a field called namespace with following values</P> <UL> <LI>prod</LI> <LI>dev</LI> <LI>qa</LI> <LI>test</LI> </UL> <P>I want to limit some users, that the can not access lines with value "prod" but each other lines.<BR />How can we do that?</P> <P>thanks<BR />Jörg</P> Wed, 18 Jan 2023 17:09:50 GMT https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/429961#M10121 joerglang 2023-01-18T17:09:50Z https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/429962#M10122 <P>Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf - <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf</A> </P> <P>I'd suggest not using search filters for a non-metadata based field as they can be bypassed.</P> Wed, 07 Aug 2019 10:57:46 GMT https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/429962#M10122 Lucas_K 2019-08-07T10:57:46Z https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/429963#M10123 <P>Thanks for your feedback.</P> <P>The problem is, that it is one single log, which has the content with , let me call it, different contextes.</P> <P>what we are looking for is something like "row level security".</P> <P>There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.</P> Wed, 07 Aug 2019 11:06:59 GMT https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/429963#M10123 joerglang 2019-08-07T11:06:59Z https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/627439#M16537 <P>Hi Joerglang, Not sure if you saw this presentation, but this is what they are doing here in this .conf 2017 talk:&nbsp; <A href="https://conf.splunk.com/files/2017/slides/splunking-with-multiple-personalities-extending-role-based-access-control-to-achieve-fine-grain-security-of-your-data.pdf" target="_blank" rel="noopener">https://conf.splunk.com/files/2017/slides/splunking-with-multiple-personalities-extending-role-based-access-control-to-achieve-fine-grain-security-of-your-data.pdf</A></P><P>It would be nice to see row-level security natively built in though.</P> Wed, 18 Jan 2023 10:59:47 GMT https://community.splunk.com/t5/Security/How-to-restrict-access-to-specific-rows/m-p/627439#M16537 TonyLeeVT 2023-01-18T10:59:47Z