Security

How to allow users to run real time searches as a role without that capability?

alekksi
Communicator

Hi all,

We have a relatively security-conscious system with multiple levels of data abstraction to prevent users from seeing certain sensitive information unless they're privileged to see it.

In order to get around the issue of users needing reports that access the underlying data, we have set up service accounts that are permissioned to access the data, which then is set as the owner of a number of saved searches. This means a user with only the 'user' role can access data reports, but is unable to see the underlying data.

One of the reports we want them to see is however a real-time search. The service account in question has been given real time search privileges and access to the underlying data, but users are still unable to run these searches. I do not want the users to just be able to spawn off their own real time searches -- we removed this from them after a few incidents -- but we do want them to be able to run this report (and potentially others) locally. Is there a way to achieve this?

Thanks in advance!
Alex

0 Karma
1 Solution

DalJeanis
Legend

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

View solution in original post

DalJeanis
Legend

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

alekksi
Communicator

I'll have to give that a go. The index itself is pretty low-volume anyway, so it shouldn't be too much of a worry.

Thanks for your help!

0 Karma

DalJeanis
Legend

Sure. There's not much traffic here, so I'll convert that to an answer and we can mark the question closed.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...