Security

How to allow users to run real time searches as a role without that capability?

alekksi
Communicator

Hi all,

We have a relatively security-conscious system with multiple levels of data abstraction to prevent users from seeing certain sensitive information unless they're privileged to see it.

In order to get around the issue of users needing reports that access the underlying data, we have set up service accounts that are permissioned to access the data, which then is set as the owner of a number of saved searches. This means a user with only the 'user' role can access data reports, but is unable to see the underlying data.

One of the reports we want them to see is however a real-time search. The service account in question has been given real time search privileges and access to the underlying data, but users are still unable to run these searches. I do not want the users to just be able to spawn off their own real time searches -- we removed this from them after a few incidents -- but we do want them to be able to run this report (and potentially others) locally. Is there a way to achieve this?

Thanks in advance!
Alex

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

alekksi
Communicator

I'll have to give that a go. The index itself is pretty low-volume anyway, so it shouldn't be too much of a worry.

Thanks for your help!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Sure. There's not much traffic here, so I'll convert that to an answer and we can mark the question closed.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...