Dashboards & Visualizations
Highlighted

Is It Possible to Assign a Token Value to a User or Role?

Builder

Hello,
We have a dashboard that monitors cost and fees for over 30 in-house applications. We need to have each application owner be only able to view their application and no other application owner's app.

index=$tok_index$
    AND FAILCODE=N
    AND (APPLICATIONNAME=$tok_payApp$ ....

$tok_pay$ is a selectable token from a dropdown input.

What we are looking for...
When user A. Smith clicks the dropdown they should only be able to see costingApp.
When user B. Jones clicks the dropdown they should only be able to see accountsApp.
etc....

I've checked the roles and capabilities doc page, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Rolesandcapabilities, but could not find anything.

I also checked here, https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/Addandeditroles#Specify_search_restricti.... Would this work with dashboards?

Is it feasible to create a conf file with a list of users and corresponding $tok_pay$ values, and assigning it for a particular dashboard? Maybe built into the dashboard's XML code; or via a JS or CSS file; or another mechanism?

We don't want the administrative burden of building and managing 30+ dashboards in order to fulfill this requirement to our application owners; and we don't want to create separate indexes, etc., to handle this either.

Any fezzes or other experts come across this requirement before?

Thanks in advance.
God bless,
Genesius

0 Karma
Highlighted

Re: Is It Possible to Assign a Token Value to a User or Role?

Builder

Figured it out. However, there are some caveats I never knew about.

First, create a lookup table payUserToApp.csv with the users' names and their apps.

payUser,payApp
user1,AG_MktOrg
user1,AG_MktDry
user1,AG_USA
user2,DO_DRTS
user2,DO_EEOH
user2,DO_HFEL
user2,DO_JMMP
user2,DO_PHEAL
user2,DO_PHILEP
user3,MV_VEHPP
user3,LS_MyLicense
user4,ORES_CenFormsRep

Second, create a macro current_user to find the user who is running (logged in).

| rest /services/authentication/current-context 
    | table username 
    | search username!=splunk-system-user 
    | return $username

Run this macro against the _audit index with a one minute time range. The results will be the list of their apps will be seen in the drop down.

index=_audit
    AND earliest=-1min
    AND latest=now()
    `current_user` 
| eval payUser = user 
| lookup payUserToApp.csv payUser OUTPUTNEW payApp 
| dedup payApp 
| table payApp
| mvexpand payApp

Now what I found interesting is that if I did not use the | mvexpand payApp at the end of the search my results would be concatenated.
Ex.: Without | mvexpand payApp
MVVEHPPLSMyLicense
With | mvexpand payApp
MVVEHPP
LS
MyLicense

Is it the macro, the lookup table, or combination of the two that causes this behavior?

When I run a similar search, there is no need to run the | mvexpand payAppcommand.

index=linuxevents
AND source="/var/log/secure"
AND process="sshd"
| dedup host
| table host

Thanks and God bless,
Genesius

PS Unless someone has a better solution, I will make this as Accepted at the end of the week.

View solution in original post

0 Karma