Security

How to allow users to run real time searches as a role without that capability?

alekksi
Communicator

Hi all,

We have a relatively security-conscious system with multiple levels of data abstraction to prevent users from seeing certain sensitive information unless they're privileged to see it.

In order to get around the issue of users needing reports that access the underlying data, we have set up service accounts that are permissioned to access the data, which then is set as the owner of a number of saved searches. This means a user with only the 'user' role can access data reports, but is unable to see the underlying data.

One of the reports we want them to see is however a real-time search. The service account in question has been given real time search privileges and access to the underlying data, but users are still unable to run these searches. I do not want the users to just be able to spawn off their own real time searches -- we removed this from them after a few incidents -- but we do want them to be able to run this report (and potentially others) locally. Is there a way to achieve this?

Thanks in advance!
Alex

0 Karma
1 Solution

DalJeanis
Legend

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

View solution in original post

DalJeanis
Legend

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

alekksi
Communicator

I'll have to give that a go. The index itself is pretty low-volume anyway, so it shouldn't be too much of a worry.

Thanks for your help!

0 Karma

DalJeanis
Legend

Sure. There's not much traffic here, so I'll convert that to an answer and we can mark the question closed.

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...