Hi,
I am currently running Splunk 8.1.9
Is it possible to create a role, that will allow a user to access only specific fields in an index?
Example:
field1, field2, field3, field4, field5
User have access to the index, but can only view data in field1, field4 and field5.
Much thanks.
Even though @isoutamo pointed you to the functionality, I simply wouldn't trust it to do the task properly.
Whenever you have access to the _raw event, you can always see the contents of the original event and you can extract the field in any other way so it's kinda "security by obscurity" approach.
It's safer to assume that if the data is ingested and indexed in Splunk, it's available for reading to anyone with access to relevant index.
The fieldfilter approach could work relatively well in some specific use cases (severely limited users with no access to "raw" search, just clicking through some pre-defined dashboards).
I totally agree with @PickleRick that these somehow search filter related "features" are not something what I can propose or even use by myself. Usually if you can access _raw you can always access that data somehow.
Better option is forward those events e.g. in two different indexes or other way "physically" separate those behind different roles/access.
Hi isoutamo,
Thanks, I followed the documentation (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/setfieldfiltering) and it doesn't seem to work.
[role_limited]
fieldFilter-field2 = XXXX
I restarted Splunk after making the changes, but the user with the assigned "limited" role was still able to see data in field2 in clear.
Regards.
Hi
I think that this feature has published some time ago. Haven't try it by myself, but at least here is some documentation about it. https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/planfieldfiltering
r. Ismo