Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Restrict user access to specific lookup table

mtk15804
New Member
‎02-13-2020 10:19 PM

I have a lookup table that stores employee data to map employee numbers and departments.In the dashboard I will use the following spl, but I don't want the user to query the lookup table or export it separately. Is there any way to solve this problem?

index=idx_foo | rename owner.email as user_mail | join type=left user_mail [inputlookup append=t company_emp_all.csv] | fields project, user_name, user_dept
0 Karma
Reply

koshyk
Super Champion
‎02-14-2020 07:38 AM

Two ways I can think of (But not sure how your infrastructure permissions are driven, so not guaranteed to work)

  1. Create a SEPARATE lookup file with ONLY fields that could be used & exposed. So in your case ONLY with fields user_mail & user_name etc. So you can have a saved-search to generate this lookup (using outputlookup) once every xx minutes from the original company_emp_all.csv`
  2. Use transforms.conf & metadata=> Ensure your query does NOT use company_emp_all.csv directly, but use transforms.conf using unique_transform_stanza_name. Put this object in its own app and provide access ONLY to admin groups or groups. Then setup this app https://dev.splunk.com/enterprise/docs/developapps/createapps/setpermissionsforobjects/ with something $SPLUNK_HOME/etc/apps/<your_app_name>/metadata/default.meta to prevent lookup being exposed. Again, I don't know the user permission/role in your organisation, so not guaranteed to work
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2020 05:43 AM

Hi @mtk15804,
at first, your search isn't correct (inputlookup needs pipe) and you don't need to join a search and a lookup because you can use the lookup command that's the same thing, in other words, the correct search is:

index=idx_foo 
| lookup company_emp_all.csv user_mail AS owner.email OUTPUT lookup_interesting_fields] 
| fields project, user_name, user_dept

The only way is to block the access to the search dashboard for that user's role.
You can do it disabling the "Open in search" button in each dashboard's panel and disabling access to Search and Reporting dashboard in all apps.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...