Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security and privileges in Splunk

ronak
Path Finder
‎10-19-2014 05:59 AM

I've a setup where,

  1. I've an index called "mobile" that stores mobile event data
  2. The index has feed from mobile events from various customers who use our mobile app
  3. The mobile events come with default attribute that help identify the client (e.g. an attribute called client_id - 1 for client A, 2 for client B etc)
  4. I've few dashboards (each with 5~6 panels presenting various charts and tables representing business data)

My need

  1. I want to expose Splunk environment to these clients
  2. However, I don't want client A's users to be able to search Client B's data upon logging
  3. Also, when users of client A login, the dashboards should present the data pertaining to client-A only (filtering Client B data out from reports)...THUS, I can reuse the dashboards and reports

Couple of options thought of,

  1. Have separate splunk installation/environment for each client such that the index name mobile (hence the associated dashboards , reports) can be reused...additional cost of hardware and copy (thus maintenance) of application code, but easiest option

    1. Have same environment, but create separate indexes for each client - mobile_client_A, mobile_client_B. This probably saves on hardware, but requires lot of work and maintenance on application code (dashboards and reports)...I also do NOT know if it is possible (and how) to tie users with index.

I need some pointers on above and also any other option that you can share.

Any pointers would be greatly appreciated.

thanks

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-19-2014 08:02 AM

The best way would be to have separate indexes per client. Create a Splunk role for each client and set their index visibility accordingly, and make sure they don't inherit the "all non-internal indexes" from the default user role.

Have your dashboards load data for index=client_*. That way each user will load all the client indexes he can read, which is only the one you set in their role. No huge work on the dashboard/report code necessary.

Separate environments will work as well, but is a lot of effort if you don't need the additional hardware for indexing/search volume anyway.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-19-2014 04:41 PM

One other way you can consider (but which is not completely secure -- a clever user with the right access could get around it) is to use the role filters. Set up roles for each client X, then set up roles with the filter client_id=X for each client.

Separate indexes will be more secure, but role filters will work similarly in most cases.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...