Deployment Architecture

Splunk Enterprise multitenancy- how can I create Role-based permissions per customer?

Enissay66
Loves-to-Learn

hello,

My need is to use Splunk Entreprise to serve multiple client organizations using a single instance=> Multitenancy function use.

I have some installed Splunk Apps using only one index and they manage the data coming from multiple clients, how can I separate them on the dashboard ?  how can i create Role-based permissions per customer ?

Does Splunk Entreprise  supports natively Multitenancy function ? how can I achieve my goal ?

Bests,

Yassine.

 

0 Karma

diogofgm
SplunkTrust
SplunkTrust

If you're looking just at Splunk Enterprise (the core product), you can create an index per customer and have a role per customer to give permissions to their indexes on top of roles to give users capabilities. Then you most likely need to rework the apps dashboards to include those indexes. My suggestion would be to e.g. name the indexes something like windows_customer1, windows_customer2 and change the searches in dashboards to look for index=windows_* or create a macro that hold this and use that macro instead in the searches where you'd filter the index (this way if the indexes changes you can just change the macro instead of reworking all the searches again). If the roles are properly set you should see just the data concerning your company based on your role when opening the dashboards. 

If, on. the other hand, you are talking about the premium app Splunk Enterprise Security, as Giuseppe stated, it does not easily support multi tenancy and would likely need some Splunk PS to implement

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Enissay66,

Enterprise Security isn't a Multi Tenancy App.

I implemented it with the support of Splunk Professional Services for an italian company, but it isn't an activity that's possible to describe in one answer, it's a project with an elapsed of at least 2 months.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...