Dashboards & Visualizations

Restrict metadata by user role

npt05001
Engager

I'm trying to restrict the metadata that is available to users of a particular role. The main reason I'm doing this is because I don't want users to be able to see tons of information about different hosts/sources/sourcetypes that they cannot access while they are in the dashboard, but I do want them to be able to see the information about the hosts/sources/sourcetypes that are available to them. Is there a way to restrict the metadata to just what the user is allowed to access?

1 Solution

Genti
Splunk Employee
Splunk Employee

As far as i know (and the little test that i just concluded) there is no way to tell the role what metadata to show and what not to show.
However, i believe what you are trying to achieve can be done by the following:

  • Create a role that does not have access to the main index
  • This role will have only these capabilities:

    • change_own_password
    • get_metadata
    • get_typeahead
    • list_inputs
    • request_remote_tok
    • rest_apps_view
    • rest_properties_get
    • rest_properties_set
    • search
  • This role will not inherit any other capabilities from any other role (ie. remove the user from the selected roles list)

  • Create a user and assign it to this role
  • Assign data that you want this role to see to the index that you specified for the role
  • Logout from your admin user and login with the newly created user (belonging to the newly created role)
  • Check to see if you see other metadata or if you only see the metadata that belong to this index.

Here is my setup: Created an index called localping.
used ping localhost > meta.test to get some sample logs.
Created a new role called metadatatest and gave it the above capabilities and made localping the default index as well as the only index that this role can search
Created a user called metauser with the metadatatest role.
Logged in with this user and can only see info from the localping index.

Here is a sample screenshot:

Sources (1) Source | Total Count | Last Updated (desc)

* /Users/gzaimi/meta.test | 1,283

Sourcetypes (1) Sourcetype | Total Count | Last Updated (desc)

* test-too_small | 1,283

Hosts (1) Host | Total Count | Last Updated (desc)

* localhost | 1,283

As you can see i can only see these instead of seeing a lot more data that i can usually see with the admin role.
Hope this helped. .gz

View solution in original post

jrstear
Path Finder

This is related and should generalize...

I populate sideview pulldowns with a list of HPC clusters, each saved into an index with an hpc_ prefix. The below forms the list of all such indexes, and then subsets it to only those the user's role allows them to search (determined by the role's allowed index list).

| eventcount summarize=false index=hpc_* | where count>0 | map [search index=$index$ | head 1] maxsearches=20 | eval cluster=substr(index,5) | fields cluster

Perhaps you could form lists of hosts/sources/sourcetypes via |metadata and then subset via map according to role search filters?

0 Karma

jrstear
Path Finder

disclaimer: the above is slow with many indexes (no surprise), and splunk5's eventcount appears to only list those indexes permitted by the current role, so map is unnecessary.

0 Karma

Genti
Splunk Employee
Splunk Employee

Actually when i tried it with just the index it did not work completely, ie. it did show me the rest of the info which is in the main index. - hence the removing of the user role privileges and creating the role with only the given capabilities.

0 Karma

Genti
Splunk Employee
Splunk Employee

As far as i know (and the little test that i just concluded) there is no way to tell the role what metadata to show and what not to show.
However, i believe what you are trying to achieve can be done by the following:

  • Create a role that does not have access to the main index
  • This role will have only these capabilities:

    • change_own_password
    • get_metadata
    • get_typeahead
    • list_inputs
    • request_remote_tok
    • rest_apps_view
    • rest_properties_get
    • rest_properties_set
    • search
  • This role will not inherit any other capabilities from any other role (ie. remove the user from the selected roles list)

  • Create a user and assign it to this role
  • Assign data that you want this role to see to the index that you specified for the role
  • Logout from your admin user and login with the newly created user (belonging to the newly created role)
  • Check to see if you see other metadata or if you only see the metadata that belong to this index.

Here is my setup: Created an index called localping.
used ping localhost > meta.test to get some sample logs.
Created a new role called metadatatest and gave it the above capabilities and made localping the default index as well as the only index that this role can search
Created a user called metauser with the metadatatest role.
Logged in with this user and can only see info from the localping index.

Here is a sample screenshot:

Sources (1) Source | Total Count | Last Updated (desc)

* /Users/gzaimi/meta.test | 1,283

Sourcetypes (1) Sourcetype | Total Count | Last Updated (desc)

* test-too_small | 1,283

Hosts (1) Host | Total Count | Last Updated (desc)

* localhost | 1,283

As you can see i can only see these instead of seeing a lot more data that i can usually see with the admin role.
Hope this helped. .gz

Simeon
Splunk Employee
Splunk Employee

Index wise, you should be able to restrict the metadata. I'm not completely sure about your particular application and would like to see the specific role filters.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...