Security

Security and privileges in Splunk

ronak
Path Finder

I've a setup where,

  1. I've an index called "mobile" that stores mobile event data
  2. The index has feed from mobile events from various customers who use our mobile app
  3. The mobile events come with default attribute that help identify the client (e.g. an attribute called client_id - 1 for client A, 2 for client B etc)
  4. I've few dashboards (each with 5~6 panels presenting various charts and tables representing business data)

My need

  1. I want to expose Splunk environment to these clients
  2. However, I don't want client A's users to be able to search Client B's data upon logging
  3. Also, when users of client A login, the dashboards should present the data pertaining to client-A only (filtering Client B data out from reports)...THUS, I can reuse the dashboards and reports

Couple of options thought of,

  1. Have separate splunk installation/environment for each client such that the index name mobile (hence the associated dashboards , reports) can be reused...additional cost of hardware and copy (thus maintenance) of application code, but easiest option

    1. Have same environment, but create separate indexes for each client - mobile_client_A, mobile_client_B. This probably saves on hardware, but requires lot of work and maintenance on application code (dashboards and reports)...I also do NOT know if it is possible (and how) to tie users with index.

I need some pointers on above and also any other option that you can share.

Any pointers would be greatly appreciated.

thanks

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The best way would be to have separate indexes per client. Create a Splunk role for each client and set their index visibility accordingly, and make sure they don't inherit the "all non-internal indexes" from the default user role.

Have your dashboards load data for index=client_*. That way each user will load all the client indexes he can read, which is only the one you set in their role. No huge work on the dashboard/report code necessary.

Separate environments will work as well, but is a lot of effort if you don't need the additional hardware for indexing/search volume anyway.

gkanapathy
Splunk Employee
Splunk Employee

One other way you can consider (but which is not completely secure -- a clever user with the right access could get around it) is to use the role filters. Set up roles for each client X, then set up roles with the filter client_id=X for each client.

Separate indexes will be more secure, but role filters will work similarly in most cases.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...