Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to restrict user access to specific fields in index

madcow
Loves-to-Learn Lots
‎05-11-2022 08:32 PM

Hi, 

I am currently running Splunk 8.1.9

Is it possible to create a role, that will allow a user to access only specific fields in an index?

Example:

field1, field2, field3, field4, field5

User have access to the index, but can only view data in field1, field4 and field5.

 

Much thanks.

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-18-2022 02:10 AM

Even though @isoutamo pointed you to the functionality, I simply wouldn't trust it to do the task properly.

Whenever you have access to the _raw event, you can always see the contents of the original event and you can extract the field in any other way so it's kinda "security by obscurity" approach.

It's safer to assume that if the data is ingested and indexed in Splunk, it's available for reading to anyone with access to relevant index.

The fieldfilter approach could work relatively well in some specific use cases (severely limited users with no access to "raw" search, just clicking through some pre-defined dashboards).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-18-2022 07:54 AM

I totally agree with @PickleRick that these somehow search filter related "features" are not something what I can propose or even use by myself. Usually if you can access _raw you can always access that data somehow.

Better option is forward those events e.g. in two different indexes or other way "physically" separate those behind different roles/access.

0 Karma
Reply

madcow
Loves-to-Learn Lots
‎05-18-2022 01:52 AM

Hi isoutamo, 

 

Thanks, I followed the documentation (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/setfieldfiltering) and it doesn't seem to work.

[role_limited]

fieldFilter-field2 = XXXX

 

I restarted Splunk after making the changes, but the user with the assigned "limited" role was still able to see data in field2 in clear. 

Regards.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-11-2022 11:46 PM

Hi

I think that this feature has published some time ago. Haven't try it by myself, but at least here is some documentation about it. https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/planfieldfiltering

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...