topic Re: restrict a role by source IP in Splunk Enterprise

restrict a role by source IP

Andre_ — Fri, 21 Mar 2025 00:29:36 GMT

Hello,

is it possible to restrict Splunk roles by source IP?

example:
Splunk role: my_user_role, allowed source IPs 172.16.0.0/16
Splunk role: my_admin_role, allowed source IPs 192.168.1.5, 192.168.1.6

Kind Regards
Andre

Re: restrict a role by source IP

PickleRick — Fri, 21 Mar 2025 06:31:21 GMT

Not directly. You could do something like that with SAML probably if your identity provider could allow/deny login based on IP-criteria. But be aware that even then it would only work during the initial login. If the user switched to another network while having a logged-in session, he would still be logged in with his role.

Re: restrict a role by source IP

kiran_panchavat — Fri, 21 Mar 2025 08:21:07 GMT

@Andre_

No Splunk has no controls based on network source. Only user to role mapping. This is not doable in the Splunk server configuration.

But a common and effective way to restrict access to Splunk roles based on source IP is to place Splunk behind a reverse proxy (e.g., Apache or NGINX) and configure the proxy to handle IP-based restrictions.

However, I haven’t experimented with this approach yet.

Define roles on the Splunk platform with capabilities - Splunk Documentation

About configuring role-based user access - Splunk Documentation

Re: restrict a role by source IP

PickleRick — Fri, 21 Mar 2025 11:42:13 GMT

Again - you're talking about a completely different thing.

One thing is general IP-based restrictions - this you can do on a reverse-proxy or even directly on Splunk server itself using access rules for ports.

Another thing is restricting given roles or users to specific IP-s. Again - this could also be done if the proxy was acting as an SSO source for Splunk but that is as tricky as any other SSO and still you could easily "escape" this IP-restriction after initial login.

Re: restrict a role by source IP

kiran_panchavat — Fri, 21 Mar 2025 12:17:44 GMT

Splunk doesn’t do IP-based restrictions natively, it’s all user-to-role mapping.. They’d need a reverse proxy like NGINX to restrict by IP, but that’s outside Splunk itself. Mixing the two is a category error.

Re: restrict a role by source IP

PickleRick — Fri, 21 Mar 2025 17:14:30 GMT

Splunk server is not the same as the Splunk software running on it. You can limit connectivity on the Splunk server using iptables/firewalld/Windows Firewall...

Re: restrict a role by source IP

Andre_ — Sun, 23 Mar 2025 22:10:16 GMT

Thank you @PickleRick ,

I think that would work for us, we have SAML and limit it to Kerberos only. This should prevent taking your session with you from from one network segment to another (network segments are different AD Domains too).

With SAML auth, can you still manage the role assignments from Splunk, like AD Group -> role, or does that need to be done on the SAML provider?

Kind Regards

Andre

Re: restrict a role by source IP

Andre_ — Sun, 23 Mar 2025 22:12:32 GMT

@kiran_panchavat,

that doesn't work for us, we need role restriction by IP not service or server restriction.

Kind Regards,

Andre

Re: restrict a role by source IP

isoutamo — Sun, 23 Mar 2025 22:34:42 GMT

Maybe you should create an idea for that in ideas.splunk.com?

Re: restrict a role by source IP

Andre_ — Sun, 23 Mar 2025 22:44:21 GMT

EID-I-2530