Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk User Permissions- Is it possible to restrict at this level?

justindett
Path Finder
‎11-04-2022 02:01 AM
Hi,
 
I have a Splunk role and the allowed index is index=api.
 
There are a number of users that are part of this role.

But I dont want to allow all users part of this role to see all logs. Only those that are relevant to them.

These logs can be identified by a specific field called org.

Eg. org=X org=Y org=Z (I only want specific users in this role to have access to the org field that is relevant to them)

Is it possible to restrict this at that level? Or would we need to to create separate roles and indexes to achieve this granular access?
Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 02:35 AM

Hi @justindett,

one question: do you want to limit the access to

  1. a part of all events ((e.g. some fields but not the full _raw event) in index=api,
  2. some events in this index (e.g. only the ones where org=X OR org=Y OR org=Z)

?

in the second case, if you want to put some limitation to the accessible events, you could add a Restriction to one role [Settings > Roles < Restriction].

If instead you want to pertit to some users the access only to a part of an events (e.g. some fields but not all the event), it isn't possible in general.

The workaround is creating a dedicated dashboard that displays only the permitted fields and "open in search" feature is disabled.

Ciao.

Giuseppe

0 Karma
Reply

justindett
Path Finder
‎11-04-2022 02:42 AM

Hi Guiseppe,

My initial response was to create dedicated dashboards as you mentioned as well. But thought perhaps someone had another idea.

Basically all users belong to the same role, they can see all events for index=api.

But the admin would like to limit access to the org field.

So some users can only see org=x and some can only see org=y

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 04:32 AM

Gi @justindett,

as I said, it's possible to limit the access to some filtered events of an index using Restrictions, but the only way to don't display a part of an event is to create a dedicated dashboard that displays only the fields to display and remembering to disable the "Open in search" feature that permits to see the raw events.

Otherwise, you could create a Summary index containing only the fields that those users can see and giving access to them to this summary index instead the full index.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...