topic Re: Tuning security in enterprise in Security

Tuning security in enterprise

brettcave — Wed, 24 Oct 2012 07:57:11 GMT

I am trying to configure explicit information access based on roles in Splunk Enterprise.

I have configured a number of event types and field extractions. Is it possible to configure access to an event type, but not allow access to 1 field in a multi-field matcher? e.g. below to illustrate what I am trying to achieve:

event type "SomeInfo" search term: "SomeInfo: "
field extractor "InfoExtr" regex:   aField: (?P<FieldA>[^,]+), bField: (?P<FieldB>[^,]+), cField: (?P<FieldC>[^,]+)
log example: SomeInfo: aField: foo, bField: bar, cField: 99

I would like to allow a role to access FieldA and FieldB, but not FieldC. Is this possible?

I have the following in the Restrict search Terms: (eventtype="SomeInfo" OR eventtype="Other"). I have tried adding (NOT FieldC) (doesn't filter) or (NOT FieldC="*") (filters entire event).

Re: Tuning security in enterprise

brettcave — Thu, 25 Oct 2012 08:06:34 GMT

assuming this isn't possible?

Re: Tuning security in enterprise

brettcave — Wed, 23 Jan 2013 12:54:08 GMT

doesn't look like it.

Re: Tuning security in enterprise

rtadams89 — Wed, 23 Jan 2013 15:56:07 GMT

I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.

Re: Tuning security in enterprise

brettcave — Thu, 24 Jan 2013 11:19:49 GMT

thanks, that makes sense, nice approach.