Security

permission on knowledge object

KaS
New Member

Hello,

Normal users should see a subset of a field extraction, small set of higher privilled users should be able to see more fields extracted from a log event in the search app.

reason: deeper analysis capabilities for special analysts, limit field analysis and search time saving for normal users.

 

Can you please tell me, how this have to be implemented? Is there an easier approach than mine?

What do I have to configure and where?

Can I handle it in on Addon?

Do I really save search time, if field extraction limited for the majority of the users? How can I measure the differences?

My approach and actual (no) results:

I created an add on's with report field extraction for specific sourcetypes (log events)

- create an Addon ..._baseline with the field subset - all users are granted

- create an Addon ..._all but with all fields extracted but limit access to a role "deep_data"

- assigned the role to the user, who should see all the data

 

But there is no difference, if a user had the role or not. 
By playing with some permission assignments I can enforce, that users can see the subset or the whole set.
But it's not depends on the role assignment. It's just for all users.
  

Thx and Regards
KaS

Labels (1)
Tags (1)
0 Karma

KaS
New Member

Hi Giuseppe,

thx for reply. Yes I know, that the user can not see these fields in searches (except with regexing).
But this is exact, what I wanne to achieve. You wrote I should grants adding to knowledge objects.

I did that, but unfortunately with no success.
How exactly do I have to do?

My recent steps are:

  • create a role "deep_data"
  • got Apps->Manage apps
  • select the app "addon_all"
  • edit "permissions"
  • deselect "everyone"
  • select the role  "deep_data"
  • keep "All apps(system") --> I tried it with app only, but this could not work, due to it's an addon to search
  • assign the role to the user "xxxx_all"
  • restart
  • logon with user "xxxx_all"
  • logon with user "xxxx_restricted"

Results:

  • whatever I switched, the users "xxx_all" and "xxx_restricted" has the same view

What's did I wrong?

Reg 

KaS

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @KaS,

why do you want to intervene on the app "addon_all", is this the app containing the Knowledge objects?

Anyway, try in this way:

  • click on Manage Apps,
  • choose the App containing the Knowledge objects,
  • click on "View Objects",
  • click, one by one, on all the fields you have to assign roles,
  • assign to each field the roles:
    • both to the fields open to all the users,
    • xxx_restricted to the fields with restricted access.

You can assign grants to only app (usually) or all apps (if you think that a field is common to more apps.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @KaS,

you can give the grants adding to a knowledge object the roles of your users.

The only problem is that if a role/user cannot see a field, all the searches containing that field have no results for thet role!

In other words, if a role connot see a field it isn't used in all searches.

The only way to mask some fields for some users is to create different dashboards for the different roles containing a different list of fields; remember to disable the feature "open in search" for the limited users. 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...