Is there any way possible to restrict searches based on source IP of splunk user?
Current environment is Splunk Enterprise 6 with SAML, hosted behind apache as a reverse proxy with mod_mellon handling the SAML authentication to our SSO idp. (https://www.splunk.com/blog/2013/10/09/splunk-sso-using-saml-through-okta.html)
Perhaps some way to map to different user Ids or roles via apache mod config some how, and then using standard Splunk restrictions in roles?
Figured out a solution:
Deploy a second Splunk server as search head without data / index. The 2nd search head can have it's own knowledge bundle / different permissions on roles.
Hey
You can mapp LDAP groups ( as well as SAML) to Splunk Roles:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/MapLDAPgroupstoSplunkroles
Yes, we are doing this. So how could we map to different roles based on source IP address?
e.g. Currently I am user "brettcave" with role "developer" that has certain rights.
If I log onto splunk from 192.168.1.0/24, I want to map to "developer" role, but if I access from any other IP, i want to map to "user" role.
is this possible?
I think what you can do is to try to do that on your DC side. Splunk just maps Groups to Roles and that's ti.
If you can figure out your strategy on the DC side, then it is fine. But in Splunk I don't think so
No Splunk has no controls based on network source. Only user to role mapping
I agree with Starcher. Splunk does not have the ability to match roles based off of network location. You can only do it by mapping users and groups to a role.
Solution posted below - by using 2 different SSO profiles - 1 to the original search head and a 2nd search head with a different configuration, the 2nd head can have a different configuration / ACL configuration.