Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- RBAC without using indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RBAC without using indexes
Is it possible to do RBAC without indexes ? I have 5 indexes at least, but I can’t use indexes to do RBAC because all users should see all 5 indexes, but the requirement is that they should only see their data. If I ensure that the data is tagged at each of the users location, will it be possible to use these tags to only allow users that work at a specific location to be able to see their data and their data only from the 5 different indexes available ? I like RBAC indexes because it ensures that users will not see any data even if they write their own searches because they simply don’t have access to the indexes that they weren’t assigned access to but unfortunately this doesn’t work because we already indexed , and we can’t do that so we have to rely on another attribute or tag to filter the data. Please let me know if you can suggest anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nouh_hussein,
Recommended way of data separation is by using different index for different data access requirements. So suggest to re-look at the design.
Alternatively, you can combine index based and Searchfilter restrictions to achieve some degree of data isolation. However it might create performance issues.
Please refer to one of the .conf presentations for a better overview
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’ve seen this document before. How secure is this method ? Can it guarantee that non of the users will be able to see any of the data that is filtered ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if the data access is really a security concern, suggest to separate using index. The search filters filters the data based on the search you provide and hence you need to make sure that the searches are working as expected. Suggest to simulate the user role and test it yourself.
Additionally subset of data can be copied to a summary index and provide the users access only to the respective summary index. However it needs scheduled searches to copy the data and also there will be a delay in data availability to the users based on the schedule
What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
