Security

How to allow users to run real time searches as a role without that capability?

Communicator

Hi all,

We have a relatively security-conscious system with multiple levels of data abstraction to prevent users from seeing certain sensitive information unless they're privileged to see it.

In order to get around the issue of users needing reports that access the underlying data, we have set up service accounts that are permissioned to access the data, which then is set as the owner of a number of saved searches. This means a user with only the 'user' role can access data reports, but is unable to see the underlying data.

One of the reports we want them to see is however a real-time search. The service account in question has been given real time search privileges and access to the underlying data, but users are still unable to run these searches. I do not want the users to just be able to spawn off their own real time searches -- we removed this from them after a few incidents -- but we do want them to be able to run this report (and potentially others) locally. Is there a way to achieve this?

Thanks in advance!
Alex

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

View solution in original post

SplunkTrust
SplunkTrust

Just a thought, not sure how practical it might be in your case, but since you are already scheduling a real-time search with a service account, it is probably realistic.

If the search is at a summary level, and it wouldn't be too resource heavy, then you could create a separate index that you populate on an ongoing basis and let your users have a distinct role that reads that summary index only in rt.

Of course, since it would be summary data and not really real time anyway, you might just have a panel with a quick refresh on a saved search against the data, and then rt doesn't come into it.

View solution in original post

Communicator

I'll have to give that a go. The index itself is pretty low-volume anyway, so it shouldn't be too much of a worry.

Thanks for your help!

0 Karma

SplunkTrust
SplunkTrust

Sure. There's not much traffic here, so I'll convert that to an answer and we can mark the question closed.