Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Limit users searches to OUs in AD

twhisnant
New Member
‎01-23-2013 02:00 PM

How can I limit Splunk users searches to events for objects in their respective OUs? UserA under OU-A should be able to search for events from all workstations/servers under that branch in AD but not under a same level OU, such as OU-B.

So, users under th OU "Houston" should be able to search for all events for machines in their directory structure, but not other OUs.

Confusing? Would be awesome...

Tags (1)
0 Karma
Reply

the_wolverine
Champion
‎01-23-2013 02:53 PM

You could give each OU a role and restrict that role to being able to search on its own OU using a search filter of "OU=x"

alt text

0 Karma
Reply

twhisnant
New Member
‎01-24-2013 06:09 AM

I'm trying to find a way to show all events from UFs that live in a certain branch. If the agent sent this information up to the indexers AND was searchable then I can see adding this to a role. Feature request?

0 Karma
Reply

twhisnant
New Member
‎01-24-2013 06:09 AM

We do something similar now, but it's restricted to matching search terms and rarely does an event contain the AD OU path. Example: srcip=1.1.1.0/24 for the roles search terms returns all events containing that field and value but NOT all events from machines in that subnet, so the user is seeing limited information.

"...search on its own OU using a search filter of "OU=x"": I believe this would only return events with a field of OU defined AND values in that field, pretty rare occurrence. I don't see where this aligns to an objects place in AD.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-23-2013 02:09 PM

The only way I could see this happening is by splitting the machine events into different "OU Indexes". You would, using your example, create an index of "ou_houston". Then Assign roles in Splunk to only allow users with "OU_Houston" role to search index "ou_houston". So it would be something like:

index=ou_houston host=some_host | blah

http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf

http://splunk-base.splunk.com/answers/10582/permissions-on-indexes-and-sourcetypes

0 Karma
Reply

twhisnant
New Member
‎01-24-2013 06:11 AM

While an option, it would add considerable overhead for us (20+ existing indexes containing 50+ sourcetypes, multiple groups, multiple companies).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...