Security
Highlighted

how to restrict access to specific rows?

New Member

I have an index with kubernetes logs.
Each log line has a field called namespace with following values

  • prod
  • dev
  • qa
  • test

I want to limit some users, that the can not access lines with value "prod" but each other lines.
How can we do that?

thanks
Jörg

0 Karma
Highlighted

Re: how to restrict access to specific rows?

Motivator

Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

I'd suggest not using search filters for a non-metadata based field as they can be bypassed.

0 Karma
Highlighted

Re: how to restrict access to specific rows?

New Member

Thanks for your feedback.

The problem is, that it is one single log, which has the content with , let me call it, different contextes.

what we are looking for is something like "row level security".

There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.

0 Karma