Solved: help with dashboard authorizations needed

damucka · ‎02-04-2020

Hello,

I have following case:
I created a dashboard and an App for it and a role allowing only "read" of my dashboard.
Now, users having this role would use my dashboard.
But I would not like them see my searches behind the panels. These are quite complicated SQL statements and I would like to keep them hidden from the endusers.
Is there any way to forbid the access to the panel search but still allow the users working with the dashboard in the way that they can see the results?

My second question would be:
- I want this particular role to allow access only to this one specific app having the specific dashboards. However what I noticed is that many other Apps which I installed, admitted for a playground reasons, are shared Global and they have access to lot of data. Would that mean I have to go one by one through these Apps and try to revert the authorizations from Everyone back to the particular roles?

Kind Regards,
Kamil

PavelP · ‎02-04-2020

you can disable "open in search" links and drilldown, so users cannot see SPL by clicking on charts or on the icon on the bottom of the panel. Additionally you can hide some parts of the dashboards with CSS. But users still can overcome this restrictions manipulating CSS or just accessing search URL directly. In other words most of your lockdown measures will work for non tech users only.

Check this answer:
https://answers.splunk.com/answers/139253/is-there-a-way-to-remove-the-open-in-search-inspect-and-ex...

View solution in original post

PavelP · ‎02-04-2020

you can disable "open in search" links and drilldown, so users cannot see SPL by clicking on charts or on the icon on the bottom of the panel. Additionally you can hide some parts of the dashboards with CSS. But users still can overcome this restrictions manipulating CSS or just accessing search URL directly. In other words most of your lockdown measures will work for non tech users only.

Check this answer:
https://answers.splunk.com/answers/139253/is-there-a-way-to-remove-the-open-in-search-inspect-and-ex...

nickhills · ‎02-04-2020

1.) This is not really possible.
Splunk's permissions start with an index - if you can read the index then you are entitled to see anything in it.
Then you have apps - again if you can see the app, and assets are shared within that app, then you can see its knowledge objects
Then you have dashboards - same applies. You can change who can 'edit' a dashboard, but if the user clicks the search icon it will open up in a search window. - In order for a dashboard to work, you have to be able to "run" the search, and that also means you can "see" it.

2.) If you want to "hide" an app from a user then yes, you will need to amend that apps permissions so that the role does not have it granted directly (or inherit it)

Ultimately, security in Splunk is based on indexes - if you have sensitive stuff on your Splunk deployment make sure that the user is protected from that index. - Everything else Splunk does around permissions is largely "presentation" and making sure someone can't break your stuff - less about making sure they cant see it.

If my comment helps, please give it a thumbs up!

nickhills · ‎02-04-2020

One thing you can do if your SPL needs to stay confidential is keep your "secret SPL" queries as private (or in another app) and schedule them to write the results to a new summary index.

Then for your reports and dashboards give the users access only to the summary index and use "non-secret SPL" to pull data out of the SI.
Data would be delayed based on your schedule above, but maybe that approach could work for you.

If my comment helps, please give it a thumbs up!

help with dashboard authorizations needed

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk