https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/598273#M16105 <P>Even though <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a> pointed you to the functionality, I simply wouldn't trust it to do the task properly.</P><P>Whenever you have access to the _raw event, you can always see the contents of the original event and you can extract the field in any other way so it's kinda "security by obscurity" approach.</P><P>It's safer to assume that if the data is ingested and indexed in Splunk, it's available for reading to anyone with access to relevant index.</P><P>The fieldfilter approach could work relatively well in some specific use cases (severely limited users with no access to "raw" search, just clicking through some pre-defined dashboards).</P> Wed, 18 May 2022 09:10:35 GMT PickleRick 2022-05-18T09:10:35Z https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/597501#M16090 <P>Hi,&nbsp;</P> <P>I am currently running Splunk 8.1.9</P> <P>Is it possible to create a role, that will allow a user to access only specific fields in an index?</P> <P>Example:</P> <P>field1, field2, field3, field4, field5</P> <P>User have access to the index, but can only view data in field1, field4 and field5.</P> <P>&nbsp;</P> <P>Much thanks.</P> <P>&nbsp;</P> Wed, 18 May 2022 15:12:33 GMT https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/597501#M16090 madcow 2022-05-18T15:12:33Z https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/597522#M16091 <P>Hi</P><P>I think that this feature has published some time ago. Haven't try it by myself, but at least here is some documentation about it.&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/planfieldfiltering" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/planfieldfiltering</A></P><P>r. Ismo</P> Thu, 12 May 2022 06:46:04 GMT https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/597522#M16091 isoutamo 2022-05-12T06:46:04Z https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/598266#M16104 <P>Hi isoutamo,&nbsp;</P><P>&nbsp;</P><P>Thanks, I followed the documentation (<A href="https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/setfieldfiltering" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/setfieldfiltering</A>) and it doesn't seem to work.</P><P>[role_limited]</P><P>fieldFilter-field2 = XXXX</P><P>&nbsp;</P><P>I restarted Splunk after making the changes, but the user with the assigned "limited" role was still able to see data in field2 in clear.&nbsp;</P><P>Regards.</P> Wed, 18 May 2022 08:52:31 GMT https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/598266#M16104 madcow 2022-05-18T08:52:31Z https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/598273#M16105 <P>Even though <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a> pointed you to the functionality, I simply wouldn't trust it to do the task properly.</P><P>Whenever you have access to the _raw event, you can always see the contents of the original event and you can extract the field in any other way so it's kinda "security by obscurity" approach.</P><P>It's safer to assume that if the data is ingested and indexed in Splunk, it's available for reading to anyone with access to relevant index.</P><P>The fieldfilter approach could work relatively well in some specific use cases (severely limited users with no access to "raw" search, just clicking through some pre-defined dashboards).</P> Wed, 18 May 2022 09:10:35 GMT https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/598273#M16105 PickleRick 2022-05-18T09:10:35Z https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/598323#M16106 <P>I totally agree with&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;that these somehow search filter related "features" are not something what I can propose or even use by myself. Usually if you can access _raw you can always access that data somehow.</P><P>Better option is forward those events e.g. in two different indexes or other way "physically" separate those behind different roles/access.</P> Wed, 18 May 2022 14:54:55 GMT https://community.splunk.com/t5/Security/How-to-restrict-user-access-to-specific-fields-in-index/m-p/598323#M16106 isoutamo 2022-05-18T14:54:55Z