Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to restrict user access to specific fields in index

madcow
Loves-to-Learn
‎05-11-2022 08:32 PM

Hi, 

I am currently running Splunk 8.1.9

Is it possible to create a role, that will allow a user to access only specific fields in an index?

Example:

field1, field2, field3, field4, field5

User have access to the index, but can only view data in field1, field4 and field5.

 

Much thanks.

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-18-2022 02:10 AM

Even though @isoutamo pointed you to the functionality, I simply wouldn't trust it to do the task properly.

Whenever you have access to the _raw event, you can always see the contents of the original event and you can extract the field in any other way so it's kinda "security by obscurity" approach.

It's safer to assume that if the data is ingested and indexed in Splunk, it's available for reading to anyone with access to relevant index.

The fieldfilter approach could work relatively well in some specific use cases (severely limited users with no access to "raw" search, just clicking through some pre-defined dashboards).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-18-2022 07:54 AM

I totally agree with @PickleRick that these somehow search filter related "features" are not something what I can propose or even use by myself. Usually if you can access _raw you can always access that data somehow.

Better option is forward those events e.g. in two different indexes or other way "physically" separate those behind different roles/access.

0 Karma
Reply

madcow
Loves-to-Learn
‎05-18-2022 01:52 AM

Hi isoutamo, 

 

Thanks, I followed the documentation (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/setfieldfiltering) and it doesn't seem to work.

[role_limited]

fieldFilter-field2 = XXXX

 

I restarted Splunk after making the changes, but the user with the assigned "limited" role was still able to see data in field2 in clear. 

Regards.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-11-2022 11:46 PM

Hi

I think that this feature has published some time ago. Haven't try it by myself, but at least here is some documentation about it. https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/planfieldfiltering

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...