Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to restrict user access to specific fields in index

madcow
Loves-to-Learn Lots
‎05-11-2022 08:32 PM

Hi, 

I am currently running Splunk 8.1.9

Is it possible to create a role, that will allow a user to access only specific fields in an index?

Example:

field1, field2, field3, field4, field5

User have access to the index, but can only view data in field1, field4 and field5.

 

Much thanks.

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-18-2022 02:10 AM

Even though @isoutamo pointed you to the functionality, I simply wouldn't trust it to do the task properly.

Whenever you have access to the _raw event, you can always see the contents of the original event and you can extract the field in any other way so it's kinda "security by obscurity" approach.

It's safer to assume that if the data is ingested and indexed in Splunk, it's available for reading to anyone with access to relevant index.

The fieldfilter approach could work relatively well in some specific use cases (severely limited users with no access to "raw" search, just clicking through some pre-defined dashboards).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-18-2022 07:54 AM

I totally agree with @PickleRick that these somehow search filter related "features" are not something what I can propose or even use by myself. Usually if you can access _raw you can always access that data somehow.

Better option is forward those events e.g. in two different indexes or other way "physically" separate those behind different roles/access.

0 Karma
Reply

madcow
Loves-to-Learn Lots
‎05-18-2022 01:52 AM

Hi isoutamo, 

 

Thanks, I followed the documentation (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/setfieldfiltering) and it doesn't seem to work.

[role_limited]

fieldFilter-field2 = XXXX

 

I restarted Splunk after making the changes, but the user with the assigned "limited" role was still able to see data in field2 in clear. 

Regards.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-11-2022 11:46 PM

Hi

I think that this feature has published some time ago. Haven't try it by myself, but at least here is some documentation about it. https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/planfieldfiltering

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top