Splunk User data access control - Managing roles and access



Please find below usecase we have currently:

We have the two indexes A having sourcetypes X1,Y1,Z1 and B having source types namely X2,Y2,Z2. In order to restrict user the access to all sourcetypes/indices we have created the following custom roles and assigned to respected users.

AX1 - Having access to sourcetype 'X1' in index A
AY1 - Having access to sourcetype 'Y1' in index A
BY2 - Having access to sourcetype 'Y2' in index B
BZ2 - Having access to sourcetype 'Z2' in index B and so on.

As a part of security guideline, recently, we have integrated our Splunk Cloud instance with Single Sign on using SAML while we authenticate the users against Active Directory. Now, the complexity of managing these roles in splunk has been increased as everytime we introduce new sourcetype in splunk in an index we have to create a corresponding role and assign the role to an user who requires access to the new sourcetype. However, as SSO is in place now we have to create a new group in Active Directory and add the user to the new AD group and pass the group information as a part of SAML_Assertion when an user authenticates and while deploying SAML connection in splunk we mapped the group in Active Directory with role in Splunk. This method of approach is building up complexity and hard to manage as we need to create AD groups as many roles in Splunk.

So, is there any way to better manage the roles in splunk without having as many groups in Active Directory or even eliminate the need of creating the groups in AD.

Thanks much in advance.


Tags (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!