- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How to allow users to run real time searches as a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
We have a relatively security-conscious system with multiple levels of data abstraction to prevent users from seeing certain sensitive information unless they're privileged to see it.
In order to get around the issue of users needing reports that access the underlying data, we have set up service accounts that are permissioned to access the data, which then is set as the owner of a number of saved searches. This means a user with only the 'user' role can access data reports, but is unable to see the underlying data.
One of the reports we want them to see is however a real-time search. The service account in question has been given real time search privileges and access to the underlying data, but users are still unable to run these searches. I do not want the users to just be able to spawn off their own real time searches -- we removed this from them after a few incidents -- but we do want them to be able to run this report (and potentially others) locally. Is there a way to achieve this?
Thanks in advance!
Alex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.
If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.
Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.
If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.
Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll have to give that a go. The index itself is pretty low-volume anyway, so it shouldn't be too much of a worry.
Thanks for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure. There's not much traffic here, so I'll convert that to an answer and we can mark the question closed.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
