Security
Highlighted

How to restrict access to indexed fields

Contributor

I would like to restrict access to a specific indexed field. Here's my scenario:

  • events contain usernames
  • I use INGESTEVAL to: create the user field (user), create a hashed version of the user field (userhash) and to modify raw to replace the username with the value of userhash.
  • this is done at index time and fields are indexed
  • my goal is to allow all users access to the user_hash. This psuedo-anonymization allows for stats by user without having the actual username
  • more privileged users will be allowed to access the user field to see the actual value
  • I've set up the INGEST_EVAL extractions and they work fine
  • what is the best way to restrict access to the user field to only specific role?
0 Karma
Highlighted

Re: How to restrict access to indexed fields

Champion

just to be clear now in the raw events in slunk web , we can see 2 fields user and user_hash with the actual value and the secure hash computed value?
And you want to hide / unhide the actual user value depending upon the user log in?

0 Karma
Highlighted

Re: How to restrict access to indexed fields

Contributor

Not quite. Only the username is displayed in the raw event. I use INGEST_EVAL at index time to:

Step 1: extract the user field (transforms.conf):

[getusername]
INGEST_EVAL = user = replace(_raw,"^(.*username:)(.*?)(\s.*)$","\2")

Step 2: create a field called user_hash which is the md5 hash of the username from step 1 (transforms.conf):

[userhash]
INGEST_EVAL = user_hash = md5(user)

Step 3: replace the occurrence of the username in raw with the value of userhash created from step 2 (transforms.conf):

[replaceuserinraw]
INGEST_EVAL = _raw = replace(_raw,user,user_hash)

What I'm left with:

  • a user field with actual username
  • a user_hash field with hash value of username
  • _raw has been modified before being indexed to replace the username with the hash

What I need to figure out:
- user_hash field should be available to all users
- user field should only be available to special users with this privileged

0 Karma
Highlighted

Re: How to restrict access to indexed fields

Super Champion

IMO, the ONLY true way to restrict access is at "INDEX" level. So the role can access only specific indexes

Highlighted

Re: How to restrict access to indexed fields

Super Champion

Just doing something from my experience
1. The only proper way to restrict permissions is by giving ROLE access to specific INDEX. So create a role and assign specific index which it can access and capabilities accordingly.
2. Then redirect all your raw data to a "secured index" with ROLES which are very secure. (eg index=secure_index sourcetype=secure_sourcetype)
3. Redirect all your userhash events with another sourcetype to a more generic index which users can access (eg `index=notsosecureindex sourcetype=another_sourcetype`)

Unfortunately, this means double the indexing & data. Other ways, is to summary index specific data you want the "less secure" users to see. You can just provide them with some key fields only

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.