Security

Limit access to parts of indexes

JensT
Communicator

Situation:

Index 1, Role 1
Index 2, Role 2
Index 3, Role 3
.... Etc.

Now I need a new role which give full access to Index 2, and partial access to Index 1, e.g. just to a certain sourcetype.
How do I achieve this? I tried a srchFilters, but its applied to the complete search.
+ If tomorrow someone orders Role 3 in addition it should give full access to Index 1, 3 and the partial access to 2...

Regards,
Jens

0 Karma

tomaszwrona
Explorer

Hi Jens,

with the new Splunk 8 you can define a role which gives you partial access to an index.
I mean you can build a role which is based on a given index and then restict the access based on fields of your choosing (sourcetype, host, ...)

Best regards
Tomasz

0 Karma

gjanders
SplunkTrust
SplunkTrust

After going through this previously, I believe the comments by @adonio are valid here!

Because of the way Splunk is designed, at least as of version 7.1.x, the index access controls are per-role, there is no method to control access to part of an index or a particular sourcetype within an index.

The srchFilter option allows you to change a query in the search screen of the user, so for example if the search filter is:

index=X OR (index=Y sourcetype=Z)

Then if the user searches for anything that will be added to the search behind the scenes, there are a few issues with search filters in my opinion:

  • In older versions of Splunk you could bypass a search filter by using particular types of knowledge objects, I have not tested in newer versions
  • If the user is a member of a role with a search filter, then all roles the user is in must include the search filter (see below)
  • They make the searches very ugly...ok this probably isn't a major issue but you might care about it if you use the job inspector

For those last two points refer to:
How users inherit search filter restrictions

How users inherit search filter restrictions

You can create roles that inherit the characteristics of other roles. Users assigned to multiple roles inherit properties from the assigned roles.

In the case of search filters, if a user is assigned to roles with different search filters, the filters are all combined and thus the restrictions of each role are applied.

For example, by default, the Power and User roles do not have search filters defined to restrict searches. If a user has a combination of these roles and another role with filters defined (for example, srchFilter=x), the user will inherit the restrictions of that role, despite the association with roles that have no filter. 

For example if I created a role A, and B, role A has access to index X and "srchFilter=index=x sourcetype=Z", role B has no search filter but has access to index Y, I provide a user roles A & B, I then run a search such as:

index=Y test 

This becomes:

litsearch (index=Y test index=X sourcetype=Z) 

Therefore the search will not return results!
To summarise if you use search filters, you will have to use them on every role a user might be added to, they can be bypassed (or at least they could in older versions of Splunk), and the configuration will quickly become ugly!

In terms of solutions I cannot offer any easy options here, as per the suggestions either re-thinking the index strategy, relaxing the access to data within the index, or summary indexes are all valid options...

Good luck, please accept the answer or up-vote if it helps as it does take a lot of effort to write posts like this!

adonio
Ultra Champion

hello there,

i think you are in the right direction using search filters
Role 4, index = 1 OR (index = 2 sourcetype = foo)
read here more:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Addandeditroles#Search_filter_format

hope it helps

0 Karma

JensT
Communicator

Hello Adonio,

thanks for your speedy reply, that would indeed work, but its not feasible for us.

1.) Ownership for Index 1 might be different. So the Owner of Role 4 might not be allowed to grant access to index 1, which he/she would give implicit.

2.) We do not want to modify the Splunk config for every possible combination. So the access to different indexes should still be controlled by different roles. Not my modifying Role 4 all the times.

0 Karma

adonio
Ultra Champion

you can use summary index ...
create a search that capture the pieces of data form index 1 and populates summary index 1.
have your new role see the new summary index and anything else it need to see

0 Karma

JensT
Communicator

Hello Adonio,

thanks for you passion into this.
But if you think a minute about this, I am sure you will agree that this is not a good approach.
And the overhead is just one bad aspect.

0 Karma

adonio
Ultra Champion

@JensT,

whether this approach is good or bad or somewhere in between is for the user to decide. i thought about it plenty, you are not the only one that encountered this challenge.
Doesn't matter if i (or you) like it or not, this is how Splunk handles RBAC and the options i suggested above are the common workarounds...
Another approach you can consider is to "double index" the portion of data you want Role 4 to access, by routing and filtering data. challenge here is that it will cost you double license.
Will be more than happy to see if there are other ideas / solutions / workarounds to your challenge.

all the best

0 Karma

ddrillic
Ultra Champion

Absolutely, that was my thinking as I went through the thread. However, too much overhead in managing these summary indexes...

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...