Security

help with dashboard authorizations needed

damucka
Builder

Hello,

I have following case:
I created a dashboard and an App for it and a role allowing only "read" of my dashboard.
Now, users having this role would use my dashboard.
But I would not like them see my searches behind the panels. These are quite complicated SQL statements and I would like to keep them hidden from the endusers.
Is there any way to forbid the access to the panel search but still allow the users working with the dashboard in the way that they can see the results?

My second question would be:
- I want this particular role to allow access only to this one specific app having the specific dashboards. However what I noticed is that many other Apps which I installed, admitted for a playground reasons, are shared Global and they have access to lot of data. Would that mean I have to go one by one through these Apps and try to revert the authorizations from Everyone back to the particular roles?

Kind Regards,
Kamil

Tags (1)
0 Karma
1 Solution

PavelP
Motivator

you can disable "open in search" links and drilldown, so users cannot see SPL by clicking on charts or on the icon on the bottom of the panel. Additionally you can hide some parts of the dashboards with CSS. But users still can overcome this restrictions manipulating CSS or just accessing search URL directly. In other words most of your lockdown measures will work for non tech users only.

Check this answer:
https://answers.splunk.com/answers/139253/is-there-a-way-to-remove-the-open-in-search-inspect-and-ex...

View solution in original post

0 Karma

PavelP
Motivator

you can disable "open in search" links and drilldown, so users cannot see SPL by clicking on charts or on the icon on the bottom of the panel. Additionally you can hide some parts of the dashboards with CSS. But users still can overcome this restrictions manipulating CSS or just accessing search URL directly. In other words most of your lockdown measures will work for non tech users only.

Check this answer:
https://answers.splunk.com/answers/139253/is-there-a-way-to-remove-the-open-in-search-inspect-and-ex...

0 Karma

nickhills
Ultra Champion

1.) This is not really possible.
Splunk's permissions start with an index - if you can read the index then you are entitled to see anything in it.
Then you have apps - again if you can see the app, and assets are shared within that app, then you can see its knowledge objects
Then you have dashboards - same applies. You can change who can 'edit' a dashboard, but if the user clicks the search icon it will open up in a search window. - In order for a dashboard to work, you have to be able to "run" the search, and that also means you can "see" it.

2.) If you want to "hide" an app from a user then yes, you will need to amend that apps permissions so that the role does not have it granted directly (or inherit it)

Ultimately, security in Splunk is based on indexes - if you have sensitive stuff on your Splunk deployment make sure that the user is protected from that index. - Everything else Splunk does around permissions is largely "presentation" and making sure someone can't break your stuff - less about making sure they cant see it.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

One thing you can do if your SPL needs to stay confidential is keep your "secret SPL" queries as private (or in another app) and schedule them to write the results to a new summary index.

Then for your reports and dashboards give the users access only to the summary index and use "non-secret SPL" to pull data out of the SI.
Data would be delayed based on your schedule above, but maybe that approach could work for you.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...