Archive
Highlighted

Is there any way to restrict searches based on user's source IP address?

Builder

Is there any way possible to restrict searches based on source IP of splunk user?

Current environment is Splunk Enterprise 6 with SAML, hosted behind apache as a reverse proxy with mod_mellon handling the SAML authentication to our SSO idp. (https://www.splunk.com/blog/2013/10/09/splunk-sso-using-saml-through-okta.html)

Perhaps some way to map to different user Ids or roles via apache mod config some how, and then using standard Splunk restrictions in roles?

0 Karma
Highlighted

Re: Is there any way to restrict searches based on user's source IP address?

Influencer

Hey

You can mapp LDAP groups ( as well as SAML) to Splunk Roles:

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/MapLDAPgroupstoSplunkroles

0 Karma
Highlighted

Re: Is there any way to restrict searches based on user's source IP address?

Builder

Yes, we are doing this. So how could we map to different roles based on source IP address?

e.g. Currently I am user "brettcave" with role "developer" that has certain rights.
If I log onto splunk from 192.168.1.0/24, I want to map to "developer" role, but if I access from any other IP, i want to map to "user" role.

is this possible?

0 Karma
Highlighted

Re: Is there any way to restrict searches based on user's source IP address?

Influencer

I think what you can do is to try to do that on your DC side. Splunk just maps Groups to Roles and that's ti.

If you can figure out your strategy on the DC side, then it is fine. But in Splunk I don't think so

0 Karma
Highlighted

Re: Is there any way to restrict searches based on user's source IP address?

SplunkTrust
SplunkTrust

No Splunk has no controls based on network source. Only user to role mapping

Highlighted

Re: Is there any way to restrict searches based on user's source IP address?

Path Finder

I agree with Starcher. Splunk does not have the ability to match roles based off of network location. You can only do it by mapping users and groups to a role.

0 Karma
Highlighted

Re: Is there any way to restrict searches based on user's source IP address?

Builder

Solution posted below - by using 2 different SSO profiles - 1 to the original search head and a 2nd search head with a different configuration, the 2nd head can have a different configuration / ACL configuration.

0 Karma
Highlighted

Re: Is there any way to restrict searches based on user's source IP address?

Builder

Figured out a solution:

Deploy a second Splunk server as search head without data / index. The 2nd search head can have it's own knowledge bundle / different permissions on roles.

0 Karma