Security

How to restrict user access to specific fields in index

madcow
Loves-to-Learn Lots

Hi, 

I am currently running Splunk 8.1.9

Is it possible to create a role, that will allow a user to access only specific fields in an index?

Example:

field1, field2, field3, field4, field5

User have access to the index, but can only view data in field1, field4 and field5.

 

Much thanks.

 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Even though @isoutamo pointed you to the functionality, I simply wouldn't trust it to do the task properly.

Whenever you have access to the _raw event, you can always see the contents of the original event and you can extract the field in any other way so it's kinda "security by obscurity" approach.

It's safer to assume that if the data is ingested and indexed in Splunk, it's available for reading to anyone with access to relevant index.

The fieldfilter approach could work relatively well in some specific use cases (severely limited users with no access to "raw" search, just clicking through some pre-defined dashboards).

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I totally agree with @PickleRick that these somehow search filter related "features" are not something what I can propose or even use by myself. Usually if you can access _raw you can always access that data somehow.

Better option is forward those events e.g. in two different indexes or other way "physically" separate those behind different roles/access.

0 Karma

madcow
Loves-to-Learn Lots

Hi isoutamo, 

 

Thanks, I followed the documentation (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/setfieldfiltering) and it doesn't seem to work.

[role_limited]

fieldFilter-field2 = XXXX

 

I restarted Splunk after making the changes, but the user with the assigned "limited" role was still able to see data in field2 in clear. 

Regards.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I think that this feature has published some time ago. Haven't try it by myself, but at least here is some documentation about it. https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Security/planfieldfiltering

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...