Security

How to remove permissions for a particular role and for a particular user in Splunk?

Motivator

Currently I have request raised by a user who wants to remove his view access to the internal indexes in Splunk (anything that starts with _) for his account.

He is currently assigned with three different roles and they are Basicuser, Poweruser and Security_user.
When I verified the permission assigned for all the above three roles, I could find for both "Basicuser/Securityuser" are provided with view access only for the user related indexes (Organization related indexes created by user), but in case of Power_user, the user has a privilege to view all the default Splunk internal indexes apart from Organization related indexes.

Below is a list of permissions that need to be removed from the Power_user role for a particular user.
1) _audit
2) _blocksignature
3) _internal
4) _thefishbucket
5) _introspection
6) main
7) All non-internal indexes.

When tried to remove a role against his name, the role was displayed greyed out. Kindly guide me how to get this permission removed for this user.

Thanks in Advance.

0 Karma

SplunkTrust
SplunkTrust

If the roles are disabled, then you might be using external authentication method like LDAP,scripted authentication etc instead of local splunk authentication. For eg: if you are using LDAP, then you can not remove the role directly from the user but only from the LDAP group which is mapped to this role.

On another note, it's not advisable to remove these capabilities from power user role directly. Instead it's suggested to create a new role with all the capabilities of power user except the above mentioned ones and then map the role to the LDAP group instead of the power user role. It's same procedure for other authentication method if you are not using LDAP (for eg:scripted authentication)

Reference :
http://docs.splunk.com/Documentation/Splunk/6.4.1/Security/ManageSplunkuserroleswithLDAP
http://docs.splunk.com/Documentation/Splunk/6.4.1/Security/SetupuserauthenticationwithLDAP
http://docs.splunk.com/Documentation/Splunk/6.4.1/Security/ConfigureSplunktousePAMorRADIUSauthentica...

0 Karma

Motivator

Ranjith, Yes we are using LDAP external authentication method for authentication in splunk. Yes Initially thought of creating a new role with all the capabilities of power user and excluding only the few permission as per the user requirement. But I am not sure on how to remove a role for a particular user in LDAP settings. I had followed below steps but correct me if this is not right way to do so?

Splunk-->settings-->access control --> authentication method --> Configure Splunk to use LDAP and map groups --> action --> manage groups --> SplunkPowerUser. Here I could see many other user id's mapped to this role and my need is to remove only a particular user id from this role not for other users. Kindly guide me on this.

thanks in advance .

0 Karma

SplunkTrust
SplunkTrust

In LDAP it works this way.

  1. Create a role with the required capabilities
  2. Create an LDAP group (ldap admins should do) and then you map the group to the role created in step1
  3. Add the user to the LDAP group (ldap admins should do)

refer to http://docs.splunk.com/Documentation/Splunk/6.4.1/Security/ManageSplunkuserroleswithLDAP

In your case, you have to remove the user from the LDAP group which is mapped to the power user role (Mentioned in one of the points in above link : To remove a user from a Splunk role: On your LDAP server, remove the user from the corresponding LDAP group.)

0 Karma

Motivator

thanks Renjith. Let me try out the steps which you had described above, but before proceeding with this steps, need to know will there be any impact? when I am trying to remove/map the particular user to new role, as the user owns some of apps / Saved Scheduled search reports.

0 Karma

SplunkTrust
SplunkTrust

Permission issue occurs for example
- Knowledge objects which have power-user role assigned , this user will not be able to access them until you add the new role to the object
- Alerts/Reports scheduled by the user will not run if "schedule" privilege is removed as part of power-user removal
- You might need to add/update the new role to the other knowledge objects which is accessed by this user to continue his access unless one of his other roles has the same privileges.
- And of course, any dashboards,reports,etc which has internal indexes' reference will be forbidden to the user

0 Karma

Motivator

thanks Renjith, Let me try this and get back to you incase any issue occurs.

0 Karma