Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

User with two roles and one search restriction does not work

mgutschelhofer
Explorer
‎03-12-2019 01:08 PM

I have troubles using Splunks role management in combination with search restrictions. My setup is straightforward: A user with two roles, whereby the 1st role is restricting the user on one index.

  • User A
    • Role A
    • Restricted search: "Properties.auth"="5a004"
    • Restricted to index: A
    • Role B
    • Restricted search: ""
    • Restricted to index: B

Now, when this user tries to search on index B, no event are returned?! e.g.:
index="B"

Expected behavior: User should see all events from Index B
Actual behavior: No events are shown

When I remove role A from this user, all events are shown.
When I remove search restriction on Role A everything is shown.
What do I miss in this role management?

I would have expected, that Splunk iterates over all user roles and evaulates them individually.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-14-2019 02:57 PM

My conclusions are :

For the permissions that are positives abilities, you get them all
- the index access from all roles are merging, therefore your user can search index A and index B. (you get most of all)
- for the capabilities, you get them all the enabled ones
- for quotas (search, job, memory...), you get the higher of all.

For the permissions that are restrictive, they all apply.
- the search restrictions are both applied, therefore your hidden final restrictions become ( * AND Properties.auth"="5a004" )

To compare, you can run the search, open the job inspector, and look at the normalized search, you will see all the restrictions applied.

 litsearch (Properties.auth "=" 5a004) | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

However, it seems that the role "admin" is special and remove restrictions. (keep in mind that splunk-system-role inherits from admin)
see the same search once you inherit from admin:

normalizedSearch 

   litsearch * | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-14-2019 02:57 PM

My conclusions are :

For the permissions that are positives abilities, you get them all
- the index access from all roles are merging, therefore your user can search index A and index B. (you get most of all)
- for the capabilities, you get them all the enabled ones
- for quotas (search, job, memory...), you get the higher of all.

For the permissions that are restrictive, they all apply.
- the search restrictions are both applied, therefore your hidden final restrictions become ( * AND Properties.auth"="5a004" )

To compare, you can run the search, open the job inspector, and look at the normalized search, you will see all the restrictions applied.

 litsearch (Properties.auth "=" 5a004) | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

However, it seems that the role "admin" is special and remove restrictions. (keep in mind that splunk-system-role inherits from admin)
see the same search once you inherit from admin:

normalizedSearch 

   litsearch * | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
0 Karma
Reply
Solved! Jump to solution

mgutschelhofer
Explorer
‎03-12-2019 01:36 PM

One thing to add: In the absence of reasonable good documentation and lots of tries & errors, when I add the capability: "splunk-system-role" to the Role B, the query works well. Still not a solution, since there is no documentation about this capability either. Pretty strange behavior.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-12-2019 02:11 PM

When you run the search, check the Job inspector to see what's the actual (normalized) search being executed. I'm guessing it has "Properties.auth"="5a004" search restrictions applied to index=B which is resulting in no data.
See this for more details
https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Aboutusersandroles#How_users_inherit_sea...

0 Karma
Reply
Solved! Jump to solution

mgutschelhofer
Explorer
‎03-13-2019 12:55 AM

You are right 🙂 Have not looked into the Job Inspector before, but it showed that the restriction from Role A was applied when searching in index B. However when I add another restriction on Role B, then restriction of Role B is applied when search in index B.
I'm unblocked, you made my day! Cheers, Martin!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...