Are there any limitations to using Splunk Apps and...

JChris_ · ‎11-08-2022

Hello,

I'm a Splunk Cloud admin who has the following challenge: I want to segregate the access of multiple teams within the company so they can only R/W the reports, alerts, and dashboards that are owned by such teams. My idea is to create an app for each team. Let's use this team structure for example:

SOC Team
AppSec Team
R&D Team

First, I would create the following roles:

SOC
AppSec
R&D

Second, I would create the following apps and attach the roles like this:

SOC (SOC Role has R/W access, others have NO access)
AppSec (AppSec Role has R/W access, others have READ only)
R&D Role (R&D Role has R/W access, others have READ only)

With this implemented, each team will be able to creates alerts/dashboards/etc with the permission "shared in app" and this won't affect the other teams.

Is there any issue/limitation with this approach? I did not spot any issue.

richgalloway · ‎11-08-2022

That approach seems fine. Remember that you are only controlling access to the knowledge objects (KOs) in those apps. Any data used by those KOs may still be accessible to other roles.

---
If this reply helps you, Karma would be appreciated.

JChris_ · ‎11-08-2022

Oh yes, I know the indexes will continue to be seen by everyone by default. The is a whole different issue which is way harder to deal with xD

Are there any limitations to using Splunk Apps and roles for access management?

authentication

other

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI