Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Just in time admin access

Wardy1380
New Member
2 weeks ago

Does Splunk on Prem or cloud have a solution that allows users to be an Analyst when doing that role and sign in or elevate to Admin when carrying out Admin tasks.  This is something that many standards require such as ISO27001 and others.  I hope someone can help or if not I will make the feature request.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago

Hi

currently splunk haven't this kind of feature (e.g. sudo or run as in windows). There is one item in ideas.splunk.com https://ideas.splunk.com/ideas/E-I-15 which is not for exactly for this but I think it could be usable, if Splunk made decisions to do it.

Currently the only way to fulfill this requirement is to create additional user, but as you are using SSO it generates it's own issues....

r. Ismo

Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Wardy1380 ,

yes, you can assign to a user both Analyst and Admin roles and he/she can use the features that he/she needs for it's job.

It isn't possible to choose the role to use, one at a time: you have all the features for the roles that you are enabled; in other words, you cannot have the Analyst role and then decide to elevate himself/helsekf to the Admin role: he/she always has all the features from his/her roles.

If you want to separate roles, you have to use two different accounts, one for each role.

About ISO27001 (I'm also an Lead Auditor), I'm not sure that there's a requirement that exactly requires to elevate a user role, but only the requisite of "need to know" and Splunk satisfies this requirement.

Ciao.

Giuseppe

0 Karma
Reply

Wardy1380
New Member
2 weeks ago

Hi gcusello.

 

Many thanks for your reply and understand that Splunk does not have this fuctionality thus I will need to look at how I can create 2 accounts for an individual whilst trying to use SSO.  We have Analysts that develop use cases on Enterprize Security and for some of the functionality they need, they need Admin rights, but when they are doing there daya to day role they should remail Annalyst.  the way splunk does it as you says, I can apply both profiles but they get to use whatever they need, within these 2 profiles.

 

As for the ISO27001 (2022) I am also an Auditor and was looking at the ISO27002 8.2 Privileged Access rights, Guidance para [I] :

"only using identities with privileged access rights for undertaking administrative tasks and not
for day-to-day general tasks [i.e. checking email, accessing the web (users should have a separate
normal network identity for these activities)]."

This I read  should also include normal user activity within Splunk.

Kind regards

Neil

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...