Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to restrict access to indexed fields

jpass
Contributor
‎05-06-2019 09:45 AM

I would like to restrict access to a specific indexed field. Here's my scenario:

  • events contain usernames
  • I use INGEST_EVAL to: create the user field (user), create a hashed version of the user field (user_hash) and to modify _raw to replace the username with the value of user_hash.
  • this is done at index time and fields are indexed
  • my goal is to allow all users access to the user_hash. This psuedo-anonymization allows for stats by user without having the actual username
  • more privileged users will be allowed to access the user field to see the actual value
  • I've set up the INGEST_EVAL extractions and they work fine
  • what is the best way to restrict access to the user field to only specific role?
0 Karma
Reply

koshyk
Super Champion
‎05-06-2019 03:02 PM

Just doing something from my experience
1. The only proper way to restrict permissions is by giving ROLE access to specific INDEX. So create a role and assign specific index which it can access and capabilities accordingly.
2. Then redirect all your raw data to a "secured index" with ROLES which are very secure. (eg index=secure_index sourcetype=secure_sourcetype)
3. Redirect all your user_hash events with another sourcetype to a more generic index which users can access (eg index=not_so_secure_index sourcetype=another_sourcetype)

Unfortunately, this means double the indexing & data. Other ways, is to summary index specific data you want the "less secure" users to see. You can just provide them with some key fields only

0 Karma
Reply

koshyk
Super Champion
‎05-06-2019 11:34 AM

IMO, the ONLY true way to restrict access is at "INDEX" level. So the role can access only specific indexes

Reply

Sukisen1981
Champion
‎05-06-2019 11:08 AM

just to be clear now in the raw events in slunk web , we can see 2 fields user and user_hash with the actual value and the secure hash computed value?
And you want to hide / unhide the actual user value depending upon the user log in?

0 Karma
Reply

jpass
Contributor
‎05-06-2019 11:27 AM

Not quite. Only the username is displayed in the raw event. I use INGEST_EVAL at index time to:

Step 1: extract the user field (transforms.conf):

[getusername]
INGEST_EVAL = user = replace(_raw,"^(.*username:)(.*?)(\s.*)$","\2")

Step 2: create a field called user_hash which is the md5 hash of the username from step 1 (transforms.conf):

[userhash]
INGEST_EVAL = user_hash = md5(user)

Step 3: replace the occurrence of the username in _raw with the value of user_hash created from step 2 (transforms.conf):

[replaceuserinraw]
INGEST_EVAL = _raw = replace(_raw,user,user_hash)

What I'm left with:

  • a user field with actual username
  • a user_hash field with hash value of username
  • _raw has been modified before being indexed to replace the username with the hash

What I need to figure out:
- user_hash field should be available to all users
- user field should only be available to special users with this privileged

0 Karma
Reply

rcao_splunk
Splunk Employee
Splunk Employee
‎10-30-2020 05:39 AM

But seems there is no way to restrict a special users to access this user field.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...