Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Just in time admin access

Wardy1380
New Member
‎10-31-2024 03:38 AM

Does Splunk on Prem or cloud have a solution that allows users to be an Analyst when doing that role and sign in or elevate to Admin when carrying out Admin tasks.  This is something that many standards require such as ISO27001 and others.  I hope someone can help or if not I will make the feature request.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2024 07:43 AM

Hi

currently splunk haven't this kind of feature (e.g. sudo or run as in windows). There is one item in ideas.splunk.com https://ideas.splunk.com/ideas/E-I-15 which is not for exactly for this but I think it could be usable, if Splunk made decisions to do it.

Currently the only way to fulfill this requirement is to create additional user, but as you are using SSO it generates it's own issues....

r. Ismo

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2024 03:51 AM

Hi @Wardy1380 ,

yes, you can assign to a user both Analyst and Admin roles and he/she can use the features that he/she needs for it's job.

It isn't possible to choose the role to use, one at a time: you have all the features for the roles that you are enabled; in other words, you cannot have the Analyst role and then decide to elevate himself/helsekf to the Admin role: he/she always has all the features from his/her roles.

If you want to separate roles, you have to use two different accounts, one for each role.

About ISO27001 (I'm also an Lead Auditor), I'm not sure that there's a requirement that exactly requires to elevate a user role, but only the requisite of "need to know" and Splunk satisfies this requirement.

Ciao.

Giuseppe

0 Karma
Reply

Wardy1380
New Member
‎10-31-2024 04:26 AM

Hi gcusello.

 

Many thanks for your reply and understand that Splunk does not have this fuctionality thus I will need to look at how I can create 2 accounts for an individual whilst trying to use SSO.  We have Analysts that develop use cases on Enterprize Security and for some of the functionality they need, they need Admin rights, but when they are doing there daya to day role they should remail Annalyst.  the way splunk does it as you says, I can apply both profiles but they get to use whatever they need, within these 2 profiles.

 

As for the ISO27001 (2022) I am also an Auditor and was looking at the ISO27002 8.2 Privileged Access rights, Guidance para [I] :

"only using identities with privileged access rights for undertaking administrative tasks and not
for day-to-day general tasks [i.e. checking email, accessing the web (users should have a separate
normal network identity for these activities)]."

This I read  should also include normal user activity within Splunk.

Kind regards

Neil

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...