Security

srchFilter Role Inheritance: If a user is a member of two roles, how to have the srchFilter apply to indexes of one role, but not the other?

tsunamii
Path Finder

For example, I have a user (test_user) that is a member of these two roles:

    [role_role_a]
    importRoles = user
    srchIndexesAllowed = _audit;_internal
    srchIndexesDefault = _audit;_internal
    srchMaxTime = 0

    [role_role_b]
    cumulativeRTSrchJobsQuota = 0
    cumulativeSrchJobsQuota = 0
    importRoles = user
    srchDiskQuota = 130
    srchFilter = (ConfigVersionId=86 (Address=*))
    srchIndexesDefault = iselogs
    srchMaxTime = 0

This works well, and when this user runs the search, the srchFilter from role_b appears to work:

litsearch ( index=* ) ( ( ( ConfigVersionId=86 ( Address=* ) ) ) )

However, what I would like is only to have the srchFilter be applied to the indexes of role_b, but not role_a (ie. the filtering should not be applying to both _audit and _internal indexes).

I have tried setting srchFilter = * in role_a:

[role_role_a]
importRoles = user
srchFilter = *
srchIndexesAllowed = _audit;_internal
srchIndexesDefault = _audit;_internal
srchMaxTime = 0

But that seems to override the srchFilter for role_b.

sowings
Splunk Employee
Splunk Employee

I'm assuming that you're using an apex role to inherit both role_a and role_b. In this case, you can do a search (as admin) like | rest /services/authorization/roles/role_APEX and look at the imported search filters. If you're not using an apex role, and simply assigning a user both roles simultaneously, I think it's going to be a lot harder to debug. There's not a way that I know of to ask "what would the final filter be?" if you're not using an apex role. You're left trying to intuit what Splunk has implemented on your behalf by testing searches over and over. It may be that one inheritance is actually trumping another, perhaps even down to the name of the role (a coming before b, etc).

I'd approach the problem by setting up an apex role (inheriting from both inferior roles) and then setting an explicit search filter on that role, e.g. (index=_internal OR index=_audit) OR (index=* (ConfigVersionId=86 (Address=*))). It's ugly, but you'd be sure of what the filter is.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...