Security

Security and privileges in Splunk

ronak
Path Finder

I've a setup where,

  1. I've an index called "mobile" that stores mobile event data
  2. The index has feed from mobile events from various customers who use our mobile app
  3. The mobile events come with default attribute that help identify the client (e.g. an attribute called client_id - 1 for client A, 2 for client B etc)
  4. I've few dashboards (each with 5~6 panels presenting various charts and tables representing business data)

My need

  1. I want to expose Splunk environment to these clients
  2. However, I don't want client A's users to be able to search Client B's data upon logging
  3. Also, when users of client A login, the dashboards should present the data pertaining to client-A only (filtering Client B data out from reports)...THUS, I can reuse the dashboards and reports

Couple of options thought of,

  1. Have separate splunk installation/environment for each client such that the index name mobile (hence the associated dashboards , reports) can be reused...additional cost of hardware and copy (thus maintenance) of application code, but easiest option

    1. Have same environment, but create separate indexes for each client - mobile_client_A, mobile_client_B. This probably saves on hardware, but requires lot of work and maintenance on application code (dashboards and reports)...I also do NOT know if it is possible (and how) to tie users with index.

I need some pointers on above and also any other option that you can share.

Any pointers would be greatly appreciated.

thanks

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The best way would be to have separate indexes per client. Create a Splunk role for each client and set their index visibility accordingly, and make sure they don't inherit the "all non-internal indexes" from the default user role.

Have your dashboards load data for index=client_*. That way each user will load all the client indexes he can read, which is only the one you set in their role. No huge work on the dashboard/report code necessary.

Separate environments will work as well, but is a lot of effort if you don't need the additional hardware for indexing/search volume anyway.

gkanapathy
Splunk Employee
Splunk Employee

One other way you can consider (but which is not completely secure -- a clever user with the right access could get around it) is to use the role filters. Set up roles for each client X, then set up roles with the filter client_id=X for each client.

Separate indexes will be more secure, but role filters will work similarly in most cases.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...