Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Access Control: What is the best approach to limiting users to specific Apps or Views?

snoobzilla
Builder
‎01-23-2017 06:39 AM

We have a fairly large deployment with 60 plus individual apps. These are used almost exclusively by DEVOPS and we haven't really had a need to limit users from using apps/views.

Now we have a need to expose some data to 200 people outside of IT and would like to determine the best way to prevent them from being able to just poke around... i.e. limit them to a specific APP and/or Views/Dashboards within that app and not allow them access to Search within that app.

Based on docs, to grant a role only access a single App it looks like I need to:

  1. Remove "everyone" access from all apps and grant each existing role specific access to all 60+ existing apps
  2. Create a new role with most capabilities of user (e.g. user_external)
  3. Grant user_external access only to the apps/views needed

Do I have this right? If so any suggestions as to the best way to go about it?

For background, I am power user/developer without full admin access who just got admin certification. I will be bringing approaches to the Splunk admin team to execute and want to bring best practice to the table as we haven't done this before.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-31-2017 02:30 PM

There are 2 types of restrictions with Splunk's RBA: access to indices and access to commands. You should create your new roles along these lines. In your case, you have only 2 types of users so you might as well just create a custom role for the new type and do not inherit from any other role. If you will end up having many types of users, it would bet better to create "stackable" roles (like the can_delete role) to create an inheritance structure.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-31-2017 02:30 PM

There are 2 types of restrictions with Splunk's RBA: access to indices and access to commands. You should create your new roles along these lines. In your case, you have only 2 types of users so you might as well just create a custom role for the new type and do not inherit from any other role. If you will end up having many types of users, it would bet better to create "stackable" roles (like the can_delete role) to create an inheritance structure.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-23-2017 07:02 AM

Assuming your data is segregated into different indexes, I would create a new role which would restrict the users ability from seeing options in the User Interface.

0 Karma
Reply
Solved! Jump to solution

snoobzilla
Builder
‎01-23-2017 06:56 AM

PS... I am planning on giving them only a simple dashboard to access data, not open search access to I am more interested in controlling access that way. I am not planning on giving them access to search and reporting, etc.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2017 06:47 AM

Hi snoobzilla,
the most important thing is to associate to external_users role only the correct indexes, because Splunk gives data Access Rights to roles.
In addition remember to give the new role to all the App's objects (fields, tags, ...).

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

snoobzilla
Builder
‎01-23-2017 06:57 AM

See above. I would like to restrict more based on what they can see from an interface standpoint than a data standpoint.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2017 07:05 AM

If you don't give access for a role to an index, the role cannot see the index.
With grants to the dashboards you can limit accesses to funtionalities,
with grants to Indexes you limit accesses to data.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

snoobzilla
Builder
‎01-23-2017 07:59 AM

Thanks... I think what you are saying is in line with what I said in original post.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2017 08:06 AM

Yes, the important thing is to grant access to your indexes to specific role.
Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...