Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

user role and permission

dhavamanis
Builder
‎05-08-2014 12:08 PM

We have multiple department and its data indexed into splunk indexer, how can we define roles / permission to access their specific department content / search / indexes / sourcetype. if a user "A", belong to department "D1" and "D2", User "A" should have only permission to their SourceType / content / search / dashboard belongs "D1" and "D2".

Can you please suggest the optimized solution for this in splunk user management?.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-08-2014 01:59 PM

My Suggestion would be this.

  1. If possible, create a separate index for each department and index the data for a department into their specific index (e.g. index_deptname).
  2. Create separate role for each department (e.g. role_deptname).
  3. If you are able to create separate index for each department(in step1) then for each role set the "Indexes"/srchIndexesAllowed which are created specific for the department. (e.g. for role_dept1, only add index_dept1 as allowed index).
  4. If you're not creating separate index for each department, then for each role add the "Restrict search terms"/srchFilter to restrict the search to that particular department.
  5. For all splunk object's (searches/dashboards etc) sharing permission, assign read/write to specific roles only.
  6. Add users with assigning roles required based on department they need to access.

This way if role_dept1 is set to access only index_dept1 and all dept1 related Splunk objects are assigned read/write only to role_dept1, then a user in role_dept1 (only ) can access dept related data/objects only.

View solution in original post

Reply
Solved! Jump to solution

yoho
Contributor
‎05-12-2014 02:02 PM

We use both answers given previously:
1) Separate indexes for dept
2) Careful read/write permissions and index access
3) 1 app per dept

Step 3 is the most difficult because if you create apps for your departments, you will have to avoid too much difference between all these apps or it will become impossible to maintain. So we have created a "master" app that we customize department per department in a very strict way : basically, for each department, we remove the views they don't need.

0 Karma
Reply
Solved! Jump to solution

dhavamanis
Builder
‎05-12-2014 08:17 AM

Thank you, can you please tell us, how to provide "Data inputs" access to user role.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-08-2014 01:59 PM

My Suggestion would be this.

  1. If possible, create a separate index for each department and index the data for a department into their specific index (e.g. index_deptname).
  2. Create separate role for each department (e.g. role_deptname).
  3. If you are able to create separate index for each department(in step1) then for each role set the "Indexes"/srchIndexesAllowed which are created specific for the department. (e.g. for role_dept1, only add index_dept1 as allowed index).
  4. If you're not creating separate index for each department, then for each role add the "Restrict search terms"/srchFilter to restrict the search to that particular department.
  5. For all splunk object's (searches/dashboards etc) sharing permission, assign read/write to specific roles only.
  6. Add users with assigning roles required based on department they need to access.

This way if role_dept1 is set to access only index_dept1 and all dept1 related Splunk objects are assigned read/write only to role_dept1, then a user in role_dept1 (only ) can access dept related data/objects only.

Reply
Solved! Jump to solution

ecambra_splunk
Splunk Employee
Splunk Employee
‎05-08-2014 12:25 PM

What we have done is to create separate apps, we call them "workspaces", for each group. A Role is created for the group/department and assigned write access for their app. (this is done via the app management)

If the data for a group needs to be segmented we would create a separate index, the groups Role would then be given access to this index. (this is done via access controls)

You can learn more about assigning the permissions here. http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Aboutusersandroles

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...