How to restrict access to specific rows?

joerglang · ‎08-07-2019

I have an index with kubernetes logs.
Each log line has a field called namespace with following values

I want to limit some users, that the can not access lines with value "prod" but each other lines.
How can we do that?

thanks
Jörg

TonyLeeVT · ‎01-18-2023

Hi Joerglang, Not sure if you saw this presentation, but this is what they are doing here in this .conf 2017 talk: https://conf.splunk.com/files/2017/slides/splunking-with-multiple-personalities-extending-role-based...

It would be nice to see row-level security natively built in though.

Lucas_K · ‎08-07-2019

Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

I'd suggest not using search filters for a non-metadata based field as they can be bypassed.

joerglang · ‎08-07-2019

Thanks for your feedback.

The problem is, that it is one single log, which has the content with , let me call it, different contextes.

what we are looking for is something like "row level security".

There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.