Security

Limit access to specific events in one index

ips_mandar
Builder

Hi,
I have one role which has Restrict search terms as index=abc $table="azuredignostics"
then how this user having this role can access $table="Perf" data. How he can get access to all data from calculated fields
but I am not able to achieve what eval function need to be created.
As I am using OMS add-on so it has 1 source, 1 host and 1 sourcetype so in calculated fields * won't help.

0 Karma

woodcock
Esteemed Legend

Do not use this feature; it is easy to bypass so paper-thin as to be useless. The only true access-control is denying access to particular index values.

0 Karma

ips_mandar
Builder

yes I can understand that there will be security issue I just wanted to understand How to bypass take access to all data using calculated fields ...as I was trying to create calculated fields to bypass access but unable to do so as I have only 1 host, source and sourcetype.

0 Karma

woodcock
Esteemed Legend

If the restriction requires a field, then create a calculated field that defines it; if it requires the field not to exist, create a calculated field that sets it to null(). Boom! Bypassed.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...