Archive

RBAC with indexes

Builder

Hey All,

I am working on setting up RBAC roles that restrict access to specific indexes.

In the GUI of my deployment manager I am not seeing all of the indexes. Should I add an indexes.conf to the local on that box?

Or should I just add the index names to the authorize.conf?

Also if I add them into authorize.conf will they show in the GUI?

Thanks!
Andrew

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hello there,

I'll show what I usually do in order to meet regulations for segregation of data. For this to work, you'll most likely need some sort of index naming concept. Otherwise you might end up asking yourself "what's that index or role for again?".

  1. Every index gets its own role in authorize.conf. Define a prefix for every "role type" you want to use. Usually I define index roles by [role_i-INDEX_NAME]. So a i- prefix (or you could use a c- for capability roles). For every index role, define only one index for both srchIndexesAllowed and srchIndexesDefault. If you define more, it will be a mess later on to manage.
  2. If you need someone to be able to search all indexes (hello there, Enterprise Security), you can create roles like "i-all_indexes" or something like that.
  3. Create a role for every specific user group you will need (besides user, power user and admin). You will probably need those because user, power user and admin are allowed to search all indexes by default.
  4. Create roles according to your departments/groups of users using Splunk, using importRoles. Be sure to check your settings by running a REST search like | rest /services/authorization/roles and checker whether srchIndexesAllowed and srchIndexesDefault got properly inherited. These roles finally get assigned to users or LDAP groups.

Does that answer your question?

Skalli

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hello there,

I'll show what I usually do in order to meet regulations for segregation of data. For this to work, you'll most likely need some sort of index naming concept. Otherwise you might end up asking yourself "what's that index or role for again?".

  1. Every index gets its own role in authorize.conf. Define a prefix for every "role type" you want to use. Usually I define index roles by [role_i-INDEX_NAME]. So a i- prefix (or you could use a c- for capability roles). For every index role, define only one index for both srchIndexesAllowed and srchIndexesDefault. If you define more, it will be a mess later on to manage.
  2. If you need someone to be able to search all indexes (hello there, Enterprise Security), you can create roles like "i-all_indexes" or something like that.
  3. Create a role for every specific user group you will need (besides user, power user and admin). You will probably need those because user, power user and admin are allowed to search all indexes by default.
  4. Create roles according to your departments/groups of users using Splunk, using importRoles. Be sure to check your settings by running a REST search like | rest /services/authorization/roles and checker whether srchIndexesAllowed and srchIndexesDefault got properly inherited. These roles finally get assigned to users or LDAP groups.

Does that answer your question?

Skalli

View solution in original post

0 Karma

Builder

No that doesn't, thank for the info anyways.

In my deployment manager under the role settings you are able to setup access to indexes via the GUI.
All of my indices are not showing up under the GUI.

I am asking do I need to deploy my indexes.conf to this server for them to show up? Or should I just assign access to indices via the authorize.conf in my ldap app that is deployed environment wide?

0 Karma

SplunkTrust
SplunkTrust

Yes, the indexes.conf needs to be on the SH as well for indexes to show up in the GUI.

Builder

That is what I needed.

Thank you, I just put a copy of the indexes.conf into system/local on my deployment manager to achieve this.

0 Karma

SplunkTrust
SplunkTrust

Thank you for your feedback.

Just a little bonus addition: You might want to create an app instead under $SPLUNK_HOME/etc/apps and put that indexes.conf there under local. System/local isn't really considered a best practice (due to several reasons like clusters, deployment servers, system/local always having the highest config file precedence). 🙂

Skalli

0 Karma

Builder

Thanks for the info. We have an app that we deploy with these settings but the deployment manager doesn't list itself in the list of servers to deploy too. Hence why I deployed to system/local.

0 Karma