Security

Restrict user access to specific lookup table

mtk15804
New Member

I have a lookup table that stores employee data to map employee numbers and departments.In the dashboard I will use the following spl, but I don't want the user to query the lookup table or export it separately. Is there any way to solve this problem?

index=idx_foo | rename owner.email as user_mail | join type=left user_mail [inputlookup append=t company_emp_all.csv] | fields project, user_name, user_dept
0 Karma

koshyk
Super Champion

Two ways I can think of (But not sure how your infrastructure permissions are driven, so not guaranteed to work)

  1. Create a SEPARATE lookup file with ONLY fields that could be used & exposed. So in your case ONLY with fields user_mail & user_name etc. So you can have a saved-search to generate this lookup (using outputlookup) once every xx minutes from the original company_emp_all.csv`
  2. Use transforms.conf & metadata=> Ensure your query does NOT use company_emp_all.csv directly, but use transforms.conf using unique_transform_stanza_name. Put this object in its own app and provide access ONLY to admin groups or groups. Then setup this app https://dev.splunk.com/enterprise/docs/developapps/createapps/setpermissionsforobjects/ with something $SPLUNK_HOME/etc/apps/<your_app_name>/metadata/default.meta to prevent lookup being exposed. Again, I don't know the user permission/role in your organisation, so not guaranteed to work
0 Karma

gcusello
Esteemed Legend

Hi @mtk15804,
at first, your search isn't correct (inputlookup needs pipe) and you don't need to join a search and a lookup because you can use the lookup command that's the same thing, in other words, the correct search is:

index=idx_foo 
| lookup company_emp_all.csv user_mail AS owner.email OUTPUT lookup_interesting_fields] 
| fields project, user_name, user_dept

The only way is to block the access to the search dashboard for that user's role.
You can do it disabling the "Open in search" button in each dashboard's panel and disabling access to Search and Reporting dashboard in all apps.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...