Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Just in time admin access

Wardy1380
New Member
‎10-31-2024 03:38 AM

Does Splunk on Prem or cloud have a solution that allows users to be an Analyst when doing that role and sign in or elevate to Admin when carrying out Admin tasks.  This is something that many standards require such as ISO27001 and others.  I hope someone can help or if not I will make the feature request.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2024 07:43 AM

Hi

currently splunk haven't this kind of feature (e.g. sudo or run as in windows). There is one item in ideas.splunk.com https://ideas.splunk.com/ideas/E-I-15 which is not for exactly for this but I think it could be usable, if Splunk made decisions to do it.

Currently the only way to fulfill this requirement is to create additional user, but as you are using SSO it generates it's own issues....

r. Ismo

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2024 03:51 AM

Hi @Wardy1380 ,

yes, you can assign to a user both Analyst and Admin roles and he/she can use the features that he/she needs for it's job.

It isn't possible to choose the role to use, one at a time: you have all the features for the roles that you are enabled; in other words, you cannot have the Analyst role and then decide to elevate himself/helsekf to the Admin role: he/she always has all the features from his/her roles.

If you want to separate roles, you have to use two different accounts, one for each role.

About ISO27001 (I'm also an Lead Auditor), I'm not sure that there's a requirement that exactly requires to elevate a user role, but only the requisite of "need to know" and Splunk satisfies this requirement.

Ciao.

Giuseppe

0 Karma
Reply

Wardy1380
New Member
‎10-31-2024 04:26 AM

Hi gcusello.

 

Many thanks for your reply and understand that Splunk does not have this fuctionality thus I will need to look at how I can create 2 accounts for an individual whilst trying to use SSO.  We have Analysts that develop use cases on Enterprize Security and for some of the functionality they need, they need Admin rights, but when they are doing there daya to day role they should remail Annalyst.  the way splunk does it as you says, I can apply both profiles but they get to use whatever they need, within these 2 profiles.

 

As for the ISO27001 (2022) I am also an Auditor and was looking at the ISO27002 8.2 Privileged Access rights, Guidance para [I] :

"only using identities with privileged access rights for undertaking administrative tasks and not
for day-to-day general tasks [i.e. checking email, accessing the web (users should have a separate
normal network identity for these activities)]."

This I read  should also include normal user activity within Splunk.

Kind regards

Neil

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...