All Apps and Add-ons

Splunk DB Connect access control not working as expected with dbxquery command

alhoctamis
Explorer

Hello there,

I am trying to implement some access control with DB Connect.

I want to do something basic like:

- users from role_a can only query db_a
- users from role_b can only query db_b

So I have meta files below:

default.meta:

 

 

[]
access = read [ admin , role_a, role_b ]

 

 

local.meta:

 

 

[db_connections/db_a]
access = read [ role_a ]

[identities/db_a]
access = read [ role_a ]

[db_connections/db_b]
access = read [ role_b ]

[identities/db_b]
access = read [ role_b ]

 

 

As a result, when logged in as a user from role_a, as expected, I cannot see db_b connection/identity.

However, I am still able to retrieve data from db_b using dbxquery:

 

 

| dbxquery "select ..." connection=db_b

 

 

It will still work despite not having read access to db_b connection/identity objects.

Is there an additional metadata entry to limit dbxquery access to specified connections/identities, or dbxquery command does not take care of object permissions at all?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...