All Apps and Add-ons

Splunk DB Connect: Upgraded to the new version, so what is the difference between db_connect_user and dbx_user?

Communicator

Hi All,
I'm trying to understand the security features in the new version of Splunk DB Connect. Please guide.

A dbx_user in the old version would allow everyone to search every Database in the old version.

Isn't dbconnectuser also the same? Whats the difference w.r.t security between these two?

Also, the permission levels are displayed only on a search head and not in a deployer since we don't have apps in Deployer. Isn't it so?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Both dbxuser and dbconnectuser are Splunk roles so their basic functionality is same i.e. user with both roles will have access to all the objects/artifacts that role is configured to have access to. In DBConnect 1.x, access to each database connection was not managed, from security point of view, separately, hence having dbxuser will give you read access to all database. In DBConnect 2.x onwards, access to each database connection is managed by Identity objects and each dbconnect role/splunk roles are given access to specific identities. Hence in DBConnect to you can only access databases whose Identity object your role has access to. See this on how an identity object is created and how it's sharing permission is setup for available roles.
http://docs.splunk.com/Documentation/DBX/2.4.0/DeployDBX/Createandmanageidentities

Regarding permissions only displayed in Search Head not Deployer, the permissions/roles are created when the DB Connect app is installed on the Splunk instance, (in $Splunk_Home/etc/apps in general). In Deployer it's not installed, it's just placed in the repository location from where it'll get deployed to Search Heads.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Both dbxuser and dbconnectuser are Splunk roles so their basic functionality is same i.e. user with both roles will have access to all the objects/artifacts that role is configured to have access to. In DBConnect 1.x, access to each database connection was not managed, from security point of view, separately, hence having dbxuser will give you read access to all database. In DBConnect 2.x onwards, access to each database connection is managed by Identity objects and each dbconnect role/splunk roles are given access to specific identities. Hence in DBConnect to you can only access databases whose Identity object your role has access to. See this on how an identity object is created and how it's sharing permission is setup for available roles.
http://docs.splunk.com/Documentation/DBX/2.4.0/DeployDBX/Createandmanageidentities

Regarding permissions only displayed in Search Head not Deployer, the permissions/roles are created when the DB Connect app is installed on the Splunk instance, (in $Splunk_Home/etc/apps in general). In Deployer it's not installed, it's just placed in the repository location from where it'll get deployed to Search Heads.

View solution in original post

0 Karma

Communicator

Hi @somesoni2,

Thankyou for the response, but still a small confusion.

In the older version someone who wanted to access a DB and run db queries were given dbx_user role which allows to query against all DBs.

1) So if a person is assigned to role "dbconnectuser" , that would also allow him to query any DB still similar to dbx_user right?

2) So now rather than providing dbconnectuser role to the user , we can provide permission for the splunk role to that particular Identity and also provide "dbconnectexecute_query" search capability to that role such that he also belongs to that role , for him to run queries against that DB is it?

  • I tried the above second option by providing permission to Role A , to access Identity AB. At the same time provided search capability "dbconnectexecute_query" to Role A. And now as a user with Role A when I run any dbquery I get an error: Unknown search command 'dbxquery'.

Is my understanding correct?

Is it possible to allow to share dashboards with search/report results generated from a SQL query to a set of users (non-dbx role users) while at the same time restricting their access to only those results ??

0 Karma