Security

Is there is a way to show a certain user’s data to another user in a different SAML/AD group without EVERYONE in the other account seeing it and without creating a separate AD/SAML account in Splunk Cloud using SAML as authentication?

kelstahl8705
Path Finder

Hi there 🙂
I am in the process of migrating from Enterprise to Cloud and as I am setting up Splunk roles for the SAML groups that will use Splunk I am running into the issue that I have some elevated users that need to see certain index's but not everything. I wrote out an example below to get the user Tony the access he needs.

• Lets say I have a SAML/AD group called Splunk_Marvel with Tony, Steve, and Peter as members. This group is to see the role “marvel events” and only this role (The role can see indexes called “comic” and “sidekicks”).

• I also have a SAML/AD group called Splunk_DC with Bruce, Clark, and Harley as members, this group is only supposed to see the role “dc events” and only this role (this role can see indexes “comic”, “identity” and “powers”).

• Now Tony asked his manager/put in a request to see the index “identity” and his manager approved but reminded him that only he can see it and not Steve and Peter.

So what I’m running into for options/solutions to this is…

• Give Splunk_Marvel the role “dc_events” …but now Steve and Peter are not supposed to see the index “identity” and Tony shouldn’t see “Powers”
• Create a new SAML/AD group that just has Tony in it, add it as a SAML group in cloud, and also create a new role to view just the index “identity”.
• Create a local spunk account for Tony to use (he’s a big enough deal) and assign that index to him specifically. WAIT!! wait wait Tony’s boss was talking to the sysadmin for Splunk and they said NO LOCAL SPLUNK ACCOUNTS!! ONLY SAML CAN BE USED FOR LOGIN!!

So how do I give Tony the access he needs without creating a new AD/SAML group for just him or giving him access to data he and his team shouldn’t see.

0 Karma
1 Solution

mydog8it
Builder

We handled this by creating access roles based on the business unit. All users in a business unit get access to all the data owned by that business unit.

If you are going to permit a data access model that gets granular down to differing access for users in the same business unit you are going to end up with index specific access roles. I guess that becomes a way to allow specific users without to much sprawl, if you made one access exception group per index and added users to that AD group to allow access to data outside their business unit it would allow the access.

Beware that allowing access outside of some largeish organizational unit can lead to unruly sprawl in your access model that can become unmanageable.

View solution in original post

0 Karma

mydog8it
Builder

We handled this by creating access roles based on the business unit. All users in a business unit get access to all the data owned by that business unit.

If you are going to permit a data access model that gets granular down to differing access for users in the same business unit you are going to end up with index specific access roles. I guess that becomes a way to allow specific users without to much sprawl, if you made one access exception group per index and added users to that AD group to allow access to data outside their business unit it would allow the access.

Beware that allowing access outside of some largeish organizational unit can lead to unruly sprawl in your access model that can become unmanageable.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...