Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk User Permissions- Is it possible to restrict at this level?

justindett
Path Finder
‎11-04-2022 02:01 AM
Hi,
 
I have a Splunk role and the allowed index is index=api.
 
There are a number of users that are part of this role.

But I dont want to allow all users part of this role to see all logs. Only those that are relevant to them.

These logs can be identified by a specific field called org.

Eg. org=X org=Y org=Z (I only want specific users in this role to have access to the org field that is relevant to them)

Is it possible to restrict this at that level? Or would we need to to create separate roles and indexes to achieve this granular access?
Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 02:35 AM

Hi @justindett,

one question: do you want to limit the access to

  1. a part of all events ((e.g. some fields but not the full _raw event) in index=api,
  2. some events in this index (e.g. only the ones where org=X OR org=Y OR org=Z)

?

in the second case, if you want to put some limitation to the accessible events, you could add a Restriction to one role [Settings > Roles < Restriction].

If instead you want to pertit to some users the access only to a part of an events (e.g. some fields but not all the event), it isn't possible in general.

The workaround is creating a dedicated dashboard that displays only the permitted fields and "open in search" feature is disabled.

Ciao.

Giuseppe

0 Karma
Reply

justindett
Path Finder
‎11-04-2022 02:42 AM

Hi Guiseppe,

My initial response was to create dedicated dashboards as you mentioned as well. But thought perhaps someone had another idea.

Basically all users belong to the same role, they can see all events for index=api.

But the admin would like to limit access to the org field.

So some users can only see org=x and some can only see org=y

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 04:32 AM

Gi @justindett,

as I said, it's possible to limit the access to some filtered events of an index using Restrictions, but the only way to don't display a part of an event is to create a dedicated dashboard that displays only the fields to display and remembering to disable the "Open in search" feature that permits to see the raw events.

Otherwise, you could create a Summary index containing only the fields that those users can see and giving access to them to this summary index instead the full index.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...