Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk User Permissions- Is it possible to restrict at this level?

justindett
Path Finder
‎11-04-2022 02:01 AM
Hi,
 
I have a Splunk role and the allowed index is index=api.
 
There are a number of users that are part of this role.

But I dont want to allow all users part of this role to see all logs. Only those that are relevant to them.

These logs can be identified by a specific field called org.

Eg. org=X org=Y org=Z (I only want specific users in this role to have access to the org field that is relevant to them)

Is it possible to restrict this at that level? Or would we need to to create separate roles and indexes to achieve this granular access?
Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 02:35 AM

Hi @justindett,

one question: do you want to limit the access to

  1. a part of all events ((e.g. some fields but not the full _raw event) in index=api,
  2. some events in this index (e.g. only the ones where org=X OR org=Y OR org=Z)

?

in the second case, if you want to put some limitation to the accessible events, you could add a Restriction to one role [Settings > Roles < Restriction].

If instead you want to pertit to some users the access only to a part of an events (e.g. some fields but not all the event), it isn't possible in general.

The workaround is creating a dedicated dashboard that displays only the permitted fields and "open in search" feature is disabled.

Ciao.

Giuseppe

0 Karma
Reply

justindett
Path Finder
‎11-04-2022 02:42 AM

Hi Guiseppe,

My initial response was to create dedicated dashboards as you mentioned as well. But thought perhaps someone had another idea.

Basically all users belong to the same role, they can see all events for index=api.

But the admin would like to limit access to the org field.

So some users can only see org=x and some can only see org=y

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 04:32 AM

Gi @justindett,

as I said, it's possible to limit the access to some filtered events of an index using Restrictions, but the only way to don't display a part of an event is to create a dedicated dashboard that displays only the fields to display and remembering to disable the "Open in search" feature that permits to see the raw events.

Otherwise, you could create a Summary index containing only the fields that those users can see and giving access to them to this summary index instead the full index.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...