Dashboards & Visualizations

Is It Possible to Assign a Token Value to a User or Role?

genesiusj
Builder

Hello,
We have a dashboard that monitors cost and fees for over 30 in-house applications. We need to have each application owner be only able to view their application and no other application owner's app.

index=$tok_index$
    AND FAILCODE=N
    AND (APPLICATIONNAME=$tok_payApp$ ....

$tok_pay$ is a selectable token from a dropdown input.

What we are looking for...
When user A. Smith clicks the dropdown they should only be able to see costingApp.
When user B. Jones clicks the dropdown they should only be able to see accountsApp.
etc....

I've checked the roles and capabilities doc page, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Rolesandcapabilities, but could not find anything.

I also checked here, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Addandeditroles#Specify_search_restricti.... Would this work with dashboards?

Is it feasible to create a conf file with a list of users and corresponding $tok_pay$ values, and assigning it for a particular dashboard? Maybe built into the dashboard's XML code; or via a JS or CSS file; or another mechanism?

We don't want the administrative burden of building and managing 30+ dashboards in order to fulfill this requirement to our application owners; and we don't want to create separate indexes, etc., to handle this either.

Any fezzes or other experts come across this requirement before?

Thanks in advance.
God bless,
Genesius

0 Karma
1 Solution

genesiusj
Builder

Figured it out. However, there are some caveats I never knew about.

First, create a lookup table payUserToApp.csv with the users' names and their apps.

payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep

Second, create a macro current_user to find the user who is running (logged in).

| rest /services/authentication/current-context 
    | table username 
    | search username!=splunk-system-user 
    | return $username

Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.

index=_audit
    AND earliest=-1min
    AND latest=now()
    `current_user` 
| eval payUser = user 
| lookup payUserToApp.csv payUser OUTPUTNEW payApp 
| dedup payApp 
| table payApp
| mvexpand payApp

Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense

Is it the macro, the lookup table, or combination of the two that causes this behavior?

When I run a similar search, there is no need to run the | mvexpand payAppcommand.

index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host

Thanks and God bless,
Genesius

PS Unless someone has a better solution, I will make this as Accepted at the end of the week.

View solution in original post

genesiusj
Builder

Figured it out. However, there are some caveats I never knew about.

First, create a lookup table payUserToApp.csv with the users' names and their apps.

payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep

Second, create a macro current_user to find the user who is running (logged in).

| rest /services/authentication/current-context 
    | table username 
    | search username!=splunk-system-user 
    | return $username

Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.

index=_audit
    AND earliest=-1min
    AND latest=now()
    `current_user` 
| eval payUser = user 
| lookup payUserToApp.csv payUser OUTPUTNEW payApp 
| dedup payApp 
| table payApp
| mvexpand payApp

Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MV_VEHPPLS_MyLicense
With | mvexpand payApp
MV_VEHPP
LS_MyLicense

Is it the macro, the lookup table, or combination of the two that causes this behavior?

When I run a similar search, there is no need to run the | mvexpand payAppcommand.

index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host

Thanks and God bless,
Genesius

PS Unless someone has a better solution, I will make this as Accepted at the end of the week.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...