Getting Data In

Just in time admin access

Wardy1380
New Member

Does Splunk on Prem or cloud have a solution that allows users to be an Analyst when doing that role and sign in or elevate to Admin when carrying out Admin tasks.  This is something that many standards require such as ISO27001 and others.  I hope someone can help or if not I will make the feature request.

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

currently splunk haven't this kind of feature (e.g. sudo or run as in windows). There is one item in ideas.splunk.com https://ideas.splunk.com/ideas/E-I-15 which is not for exactly for this but I think it could be usable, if Splunk made decisions to do it.

Currently the only way to fulfill this requirement is to create additional user, but as you are using SSO it generates it's own issues....

r. Ismo

gcusello
SplunkTrust
SplunkTrust

Hi @Wardy1380 ,

yes, you can assign to a user both Analyst and Admin roles and he/she can use the features that he/she needs for it's job.

It isn't possible to choose the role to use, one at a time: you have all the features for the roles that you are enabled; in other words, you cannot have the Analyst role and then decide to elevate himself/helsekf to the Admin role: he/she always has all the features from his/her roles.

If you want to separate roles, you have to use two different accounts, one for each role.

About ISO27001 (I'm also an Lead Auditor), I'm not sure that there's a requirement that exactly requires to elevate a user role, but only the requisite of "need to know" and Splunk satisfies this requirement.

Ciao.

Giuseppe

0 Karma

Wardy1380
New Member

Hi gcusello.

 

Many thanks for your reply and understand that Splunk does not have this fuctionality thus I will need to look at how I can create 2 accounts for an individual whilst trying to use SSO.  We have Analysts that develop use cases on Enterprize Security and for some of the functionality they need, they need Admin rights, but when they are doing there daya to day role they should remail Annalyst.  the way splunk does it as you says, I can apply both profiles but they get to use whatever they need, within these 2 profiles.

 

As for the ISO27001 (2022) I am also an Auditor and was looking at the ISO27002 8.2 Privileged Access rights, Guidance para [I] :

"only using identities with privileged access rights for undertaking administrative tasks and not
for day-to-day general tasks [i.e. checking email, accessing the web (users should have a separate
normal network identity for these activities)]."

This I read  should also include normal user activity within Splunk.

Kind regards

Neil

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...