Security

permission on knowledge object

KaS
New Member

Hello,

Normal users should see a subset of a field extraction, small set of higher privilled users should be able to see more fields extracted from a log event in the search app.

reason: deeper analysis capabilities for special analysts, limit field analysis and search time saving for normal users.

 

Can you please tell me, how this have to be implemented? Is there an easier approach than mine?

What do I have to configure and where?

Can I handle it in on Addon?

Do I really save search time, if field extraction limited for the majority of the users? How can I measure the differences?

My approach and actual (no) results:

I created an add on's with report field extraction for specific sourcetypes (log events)

- create an Addon ..._baseline with the field subset - all users are granted

- create an Addon ..._all but with all fields extracted but limit access to a role "deep_data"

- assigned the role to the user, who should see all the data

 

But there is no difference, if a user had the role or not. 
By playing with some permission assignments I can enforce, that users can see the subset or the whole set.
But it's not depends on the role assignment. It's just for all users.
  

Thx and Regards
KaS

Labels (1)
Tags (1)
0 Karma

KaS
New Member

Hi Giuseppe,

thx for reply. Yes I know, that the user can not see these fields in searches (except with regexing).
But this is exact, what I wanne to achieve. You wrote I should grants adding to knowledge objects.

I did that, but unfortunately with no success.
How exactly do I have to do?

My recent steps are:

  • create a role "deep_data"
  • got Apps->Manage apps
  • select the app "addon_all"
  • edit "permissions"
  • deselect "everyone"
  • select the role  "deep_data"
  • keep "All apps(system") --> I tried it with app only, but this could not work, due to it's an addon to search
  • assign the role to the user "xxxx_all"
  • restart
  • logon with user "xxxx_all"
  • logon with user "xxxx_restricted"

Results:

  • whatever I switched, the users "xxx_all" and "xxx_restricted" has the same view

What's did I wrong?

Reg 

KaS

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @KaS,

why do you want to intervene on the app "addon_all", is this the app containing the Knowledge objects?

Anyway, try in this way:

  • click on Manage Apps,
  • choose the App containing the Knowledge objects,
  • click on "View Objects",
  • click, one by one, on all the fields you have to assign roles,
  • assign to each field the roles:
    • both to the fields open to all the users,
    • xxx_restricted to the fields with restricted access.

You can assign grants to only app (usually) or all apps (if you think that a field is common to more apps.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @KaS,

you can give the grants adding to a knowledge object the roles of your users.

The only problem is that if a role/user cannot see a field, all the searches containing that field have no results for thet role!

In other words, if a role connot see a field it isn't used in all searches.

The only way to mask some fields for some users is to create different dashboards for the different roles containing a different list of fields; remember to disable the feature "open in search" for the limited users. 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...