Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Limit users searches to OUs in AD

twhisnant
New Member
‎01-23-2013 02:00 PM

How can I limit Splunk users searches to events for objects in their respective OUs? UserA under OU-A should be able to search for events from all workstations/servers under that branch in AD but not under a same level OU, such as OU-B.

So, users under th OU "Houston" should be able to search for all events for machines in their directory structure, but not other OUs.

Confusing? Would be awesome...

Tags (1)
0 Karma
Reply

the_wolverine
Champion
‎01-23-2013 02:53 PM

You could give each OU a role and restrict that role to being able to search on its own OU using a search filter of "OU=x"

alt text

0 Karma
Reply

twhisnant
New Member
‎01-24-2013 06:09 AM

I'm trying to find a way to show all events from UFs that live in a certain branch. If the agent sent this information up to the indexers AND was searchable then I can see adding this to a role. Feature request?

0 Karma
Reply

twhisnant
New Member
‎01-24-2013 06:09 AM

We do something similar now, but it's restricted to matching search terms and rarely does an event contain the AD OU path. Example: srcip=1.1.1.0/24 for the roles search terms returns all events containing that field and value but NOT all events from machines in that subnet, so the user is seeing limited information.

"...search on its own OU using a search filter of "OU=x"": I believe this would only return events with a field of OU defined AND values in that field, pretty rare occurrence. I don't see where this aligns to an objects place in AD.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-23-2013 02:09 PM

The only way I could see this happening is by splitting the machine events into different "OU Indexes". You would, using your example, create an index of "ou_houston". Then Assign roles in Splunk to only allow users with "OU_Houston" role to search index "ou_houston". So it would be something like:

index=ou_houston host=some_host | blah

http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf

http://splunk-base.splunk.com/answers/10582/permissions-on-indexes-and-sourcetypes

0 Karma
Reply

twhisnant
New Member
‎01-24-2013 06:11 AM

While an option, it would add considerable overhead for us (20+ existing indexes containing 50+ sourcetypes, multiple groups, multiple companies).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...