Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

User with two roles and one search restriction does not work

mgutschelhofer
Explorer
‎03-12-2019 01:08 PM

I have troubles using Splunks role management in combination with search restrictions. My setup is straightforward: A user with two roles, whereby the 1st role is restricting the user on one index.

  • User A
    • Role A
    • Restricted search: "Properties.auth"="5a004"
    • Restricted to index: A
    • Role B
    • Restricted search: ""
    • Restricted to index: B

Now, when this user tries to search on index B, no event are returned?! e.g.:
index="B"

Expected behavior: User should see all events from Index B
Actual behavior: No events are shown

When I remove role A from this user, all events are shown.
When I remove search restriction on Role A everything is shown.
What do I miss in this role management?

I would have expected, that Splunk iterates over all user roles and evaulates them individually.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-14-2019 02:57 PM

My conclusions are :

For the permissions that are positives abilities, you get them all
- the index access from all roles are merging, therefore your user can search index A and index B. (you get most of all)
- for the capabilities, you get them all the enabled ones
- for quotas (search, job, memory...), you get the higher of all.

For the permissions that are restrictive, they all apply.
- the search restrictions are both applied, therefore your hidden final restrictions become ( * AND Properties.auth"="5a004" )

To compare, you can run the search, open the job inspector, and look at the normalized search, you will see all the restrictions applied.

 litsearch (Properties.auth "=" 5a004) | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

However, it seems that the role "admin" is special and remove restrictions. (keep in mind that splunk-system-role inherits from admin)
see the same search once you inherit from admin:

normalizedSearch 

   litsearch * | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-14-2019 02:57 PM

My conclusions are :

For the permissions that are positives abilities, you get them all
- the index access from all roles are merging, therefore your user can search index A and index B. (you get most of all)
- for the capabilities, you get them all the enabled ones
- for quotas (search, job, memory...), you get the higher of all.

For the permissions that are restrictive, they all apply.
- the search restrictions are both applied, therefore your hidden final restrictions become ( * AND Properties.auth"="5a004" )

To compare, you can run the search, open the job inspector, and look at the normalized search, you will see all the restrictions applied.

 litsearch (Properties.auth "=" 5a004) | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

However, it seems that the role "admin" is special and remove restrictions. (keep in mind that splunk-system-role inherits from admin)
see the same search once you inherit from admin:

normalizedSearch 

   litsearch * | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
0 Karma
Reply
Solved! Jump to solution

mgutschelhofer
Explorer
‎03-12-2019 01:36 PM

One thing to add: In the absence of reasonable good documentation and lots of tries & errors, when I add the capability: "splunk-system-role" to the Role B, the query works well. Still not a solution, since there is no documentation about this capability either. Pretty strange behavior.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-12-2019 02:11 PM

When you run the search, check the Job inspector to see what's the actual (normalized) search being executed. I'm guessing it has "Properties.auth"="5a004" search restrictions applied to index=B which is resulting in no data.
See this for more details
https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Aboutusersandroles#How_users_inherit_sea...

0 Karma
Reply
Solved! Jump to solution

mgutschelhofer
Explorer
‎03-13-2019 12:55 AM

You are right 🙂 Have not looked into the Job Inspector before, but it showed that the restriction from Role A was applied when searching in index B. However when I add another restriction on Role B, then restriction of Role B is applied when search in index B.
I'm unblocked, you made my day! Cheers, Martin!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...