Security

Enterprise Security Data Compartmentalization

Paul
Explorer

When I create a role and assign it to a user in Splunk Enterprise, I have successfully tested that the user can only see events/data from the indexes specifically selected for that role.

 

However, when logged in as that user, in Splunk Enterprise Security, when accessing the "Security Posture" dashboard, for example, it appears the role restrictions given in Splunk Enterprise do not carry over to enterprise security.  On the Security Posture dashboard, the user I want to limit access of data to can see everything.  This is because there are no restrictions in place on the "es_notable_events" source in ES, for example.  I would like to put a restriction in place so the logged in user can only see notable events from the indexes the user is restricted to in Splunk Enterprise, hence the only data the user can see in the specifically selected indexes, and nothing more.

A restricted user and a Splunk admin has the same visibility to all data on the Security Posture dashboard (and all other applicable dashboards and displays as well).

Is there a way to limit visibility in Enterprise Security (notable events and such) to only data from the indexes the restricted user has access to in Splunk Enterprise?   It seems that the role restrictions put in place in Splunk Enterprise do not carry over easily to Enterprise Security. 

I can create a bunch of customized dashboards and reports with queries filtering on hostname and/or IP range only, but this is a lot of work for something where an option may just need to be set, or an extra parameter added to the role somewhere.

 

Maybe Splunk can make this more easy to manage in a future release of Enterprise Security?

Labels (3)
0 Karma

Paul
Explorer

I was expecting this response.  I did not find an easy way to get this done.  I have posted the idea to the ideas website.

gcusello
SplunkTrust
SplunkTrust

Hi @ at all,

I encountered this problema in a proposal and Splunk Professional Services asked to me an order to make this configuration!

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

ES gets its data from the notables index so access restrictions on other indexes don't apply.  I think you've already found the best solution/workaround, but consider suggesting a change at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...