topic Re: Restrict Search Terms Conditionally Depending On The Index Being Searched in Splunk Search

Restrict Search Terms Conditionally Depending On The Index Being Searched

jpass — Mon, 28 Sep 2020 13:19:19 GMT

I have multiple indexes to help control user access to data. Now I've run into a situation where data within an index needs to be further divided into access levels.

Here's the structure:

index=i1 foo=bar foo1=bar1
index=i2 type=t1
index=i2 type=t2
index=i2 type=t3
index=i3

Goal: Allow user1 full access to i1 & i3 but only type 't1' in the i2 index

my current roles configuration
role_i1 - provides full access to index 1
role_i2 - provides full access to index 2
role_i3 - provides full access to index 3

My first inclination was to create a new role:
role_i2_t1 = provides access to index i2 but uses the 'restrict search terms' field to say 'type=t1'

So user1 roles configuration would be as follows:
user1 (role_i1,role_i2_t1,role_i3)

This works fine for restricting access within the i2 index. But the side affect is that, because the other index do not contain a field called 'type', users can not return any search results.

So my questions:
1. maybe I'm misunderstanding or doing something wrong and my approach is the correct one
2. Or I'm correct in my findings and another route needs to be take
3. The only other option I see thus far is to create an index for each 'type' and use continue to use roles to manage access to specific data

Re: Restrict Search Terms Conditionally Depending On The Index Being Searched

Takajian — Fri, 15 Feb 2013 07:22:05 GMT

I think your 'restrict search times = "type=t1"' is not correct. Could you try following?

index=i1 OR index=i3 OR ( index=i2 AND type=t1 )

As you recognized, the other index does not have type field. You will need to specify each index and field explicitly.

Re: Restrict Search Terms Conditionally Depending On The Index Being Searched

jpass — Mon, 28 Sep 2020 13:19:37 GMT

I selected Takajian's answer but provided a modified version and some more details for discussion.

Yup. That's it. Man I must have been up too long or something because simple search logic took care of this issue.

I did modify my approach a bit though to make the string shorter:

index!=i2 OR (index=i2 AND type=t1)

This way if you have a bunch of indexes you don't have to list each one.

Do you see a problem using this method if each index has sub groups under different field names?

For example:

index=i1 color=c1 OR color=c2 OR color=c3
index=i2 type=t1 OR type=t2 OR type=t3

index=i3 size=s1 OR size=s2 OR size=s3

My roles would have to overlap.

role_i1_c1 = index!=i1 OR (index=i1 AND color=c1)
role_i1_c2 = index!=i1 OR (index=i1 AND color=c2)
role_i1_c3 = index!=i1 OR (index=i1 AND color=c3)

role_i2_t1 = index!=i2 OR (index=i2 AND type=t1)
role_i2_t2 = index!=i2 OR (index=i2 AND type=t2)
role_i2_t3 = index!=i2 OR (index=i2 AND type=t3)

role_i3_s1 = index!=i3 OR (index=i3 AND type=s1)
role_i3_s2 = index!=i3 OR (index=i3 AND type=s2)

role_i3_s3 = index!=i3 OR (index=i3 AND type=s3)

Example user1: can access index i1 color c1 and c3 & index i3 size s2

user1 roles assignment: role_i1_c1, role_i1_c3, role_i3_s1

Or would it be easier to just create a bunch of indexes for each sub-group?

FYI:
i1 currently has 20 colors
i2 has about 30 types
i3 has 4 sizes

Thanks for your time.

Re: Restrict Search Terms Conditionally Depending On The Index Being Searched

jpass — Tue, 19 Feb 2013 03:55:23 GMT

I have confirmed this in fact does work. I only tested it briefly but it seemed to work perfectly. If a user is assigned multiple roles like I described above, it effectively turns a user's access on / off for those data types. I'm not sure how much it would affect performances but at first glance it seemed fine. I'll report back more after I've done some more testing.