topic Splunk User Permissions- Is it possible to restrict at this level? in Security

Splunk User Permissions- Is it possible to restrict at this level?

justindett — Fri, 04 Nov 2022 16:34:23 GMT

Hi,

I have a Splunk role and the allowed index is index=api.

There are a number of users that are part of this role.

But I dont want to allow all users part of this role to see all logs. Only those that are relevant to them.

These logs can be identified by a specific field called org.

Eg. org=X org=Y org=Z (I only want specific users in this role to have access to the org field that is relevant to them)

Is it possible to restrict this at that level? Or would we need to to create separate roles and indexes to achieve this granular access?

Re: Splunk User Permissions

gcusello — Fri, 04 Nov 2022 09:35:58 GMT

Hi @justindett,

one question: do you want to limit the access to

a part of all events ((e.g. some fields but not the full _raw event) in index=api,
some events in this index (e.g. only the ones where org=X OR org=Y OR org=Z)

in the second case, if you want to put some limitation to the accessible events, you could add a Restriction to one role [Settings > Roles < Restriction].

If instead you want to pertit to some users the access only to a part of an events (e.g. some fields but not all the event), it isn't possible in general.

The workaround is creating a dedicated dashboard that displays only the permitted fields and "open in search" feature is disabled.

Ciao.

Giuseppe

Re: Splunk User Permissions

justindett — Fri, 04 Nov 2022 09:42:13 GMT

Hi Guiseppe,

My initial response was to create dedicated dashboards as you mentioned as well. But thought perhaps someone had another idea.

Basically all users belong to the same role, they can see all events for index=api.

But the admin would like to limit access to the org field.

So some users can only see org=x and some can only see org=y

Re: Splunk User Permissions

gcusello — Fri, 04 Nov 2022 11:32:01 GMT

Gi @justindett,

as I said, it's possible to limit the access to some filtered events of an index using Restrictions, but the only way to don't display a part of an event is to create a dedicated dashboard that displays only the fields to display and remembering to disable the "Open in search" feature that permits to see the raw events.

Otherwise, you could create a Summary index containing only the fields that those users can see and giving access to them to this summary index instead the full index.

Ciao.

Giuseppe