Is there is a way to show a certain user’s data to another user in a different SAML/AD group without EVERYONE in the other account seeing it and without creating a separate AD/SAML account in Splunk Cloud using SAML as authentication?
Hi there 🙂
I am in the process of migrating from Enterprise to Cloud and as I am setting up Splunk roles for the SAML groups that will use Splunk I am running into the issue that I have some elevated users that need to see certain index's but not everything. I wrote out an example below to get the user Tony the access he needs.
• Lets say I have a SAML/AD group called Splunk_Marvel with Tony, Steve, and Peter as members. This group is to see the role “marvel events” and only this role (The role can see indexes called “comic” and “sidekicks”).
• I also have a SAML/AD group called Splunk_DC with Bruce, Clark, and Harley as members, this group is only supposed to see the role “dc events” and only this role (this role can see indexes “comic”, “identity” and “powers”).
• Now Tony asked his manager/put in a request to see the index “identity” and his manager approved but reminded him that only he can see it and not Steve and Peter.
So what I’m running into for options/solutions to this is…
• Give SplunkMarvel the role “dcevents” …but now Steve and Peter are not supposed to see the index “identity” and Tony shouldn’t see “Powers”
• Create a new SAML/AD group that just has Tony in it, add it as a SAML group in cloud, and also create a new role to view just the index “identity”.
• Create a local spunk account for Tony to use (he’s a big enough deal) and assign that index to him specifically. WAIT!! wait wait Tony’s boss was talking to the sysadmin for Splunk and they said NO LOCAL SPLUNK ACCOUNTS!! ONLY SAML CAN BE USED FOR LOGIN!!
So how do I give Tony the access he needs without creating a new AD/SAML group for just him or giving him access to data he and his team shouldn’t see.
Re: Is there is a way to show a certain user’s data to another user in a different SAML/AD group without EVERYONE in the other account seeing it and without creating a separate AD/SAML account in Splunk Cloud using SAML as authentication?
We handled this by creating access roles based on the business unit. All users in a business unit get access to all the data owned by that business unit.
If you are going to permit a data access model that gets granular down to differing access for users in the same business unit you are going to end up with index specific access roles. I guess that becomes a way to allow specific users without to much sprawl, if you made one access exception group per index and added users to that AD group to allow access to data outside their business unit it would allow the access.
Beware that allowing access outside of some largeish organizational unit can lead to unruly sprawl in your access model that can become unmanageable.