Security

How to limit access to specific events in a given index?

Contributor

Hello,

I have an index named "email" which stores all my emails' information (mailfrom, mailto, subject, country, ...). I would like to limit the access to this index for different teams across the world. If an email is sent to the country Germany, I want the Germany team to have access only to email logs with the field "country" to "Germany".

Is it possible?

Thank you 🙂

0 Karma
1 Solution

Communicator

Don't do this. Speaking as an admin who has learned from experience, srchFilter looks like something that solves your problem, but it actually causes more in the long run.

If you MUST have this level of access control, create an email_ index for each country you deal with (sucks that you have to know them all in advance) and use index-time transforms to route the events. Apply ACLs at the index level.

Pretend that srchFilter doesn't exist. If you don't, one day you'll think to yourself, "that overly dramatic guy on Splunk Answers was right, I should not have used srchFilter."

View solution in original post

Communicator

Don't do this. Speaking as an admin who has learned from experience, srchFilter looks like something that solves your problem, but it actually causes more in the long run.

If you MUST have this level of access control, create an email_ index for each country you deal with (sucks that you have to know them all in advance) and use index-time transforms to route the events. Apply ACLs at the index level.

Pretend that srchFilter doesn't exist. If you don't, one day you'll think to yourself, "that overly dramatic guy on Splunk Answers was right, I should not have used srchFilter."

View solution in original post

Contributor

Ok... But what could go wrong?

0 Karma

Contributor

up please 🙂

0 Karma

SplunkTrust
SplunkTrust

Maybe the easiest way would be to use Search Filters within your role.
Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/Addandeditroles#Search_filter_format

For instance, when searching index email append "search Country = Germany" to the members of the German team, and so on.

The alternative is to use summary indexing and apply a different level of permissions there. In principle index level is the way you permission things in Splunk.

0 Karma

SplunkTrust
SplunkTrust

Will only be secure for indexed fields. A user can always overwrite searchtime knowledge objects to circumvent the search filter.

Contributor

So this filter is basically useless?
Maybe I could prevent the user to overwrite this object?

0 Karma

SplunkTrust
SplunkTrust

You can't prevent users from creating private objects.

The filter may be useful when you want to filter on one of the indexes fields such as host, sourcetype or source.

0 Karma