Security

user role and permission

dhavamanis
Builder

We have multiple department and its data indexed into splunk indexer, how can we define roles / permission to access their specific department content / search / indexes / sourcetype. if a user "A", belong to department "D1" and "D2", User "A" should have only permission to their SourceType / content / search / dashboard belongs "D1" and "D2".

Can you please suggest the optimized solution for this in splunk user management?.

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

My Suggestion would be this.

  1. If possible, create a separate index for each department and index the data for a department into their specific index (e.g. index_deptname).
  2. Create separate role for each department (e.g. role_deptname).
  3. If you are able to create separate index for each department(in step1) then for each role set the "Indexes"/srchIndexesAllowed which are created specific for the department. (e.g. for role_dept1, only add index_dept1 as allowed index).
  4. If you're not creating separate index for each department, then for each role add the "Restrict search terms"/srchFilter to restrict the search to that particular department.
  5. For all splunk object's (searches/dashboards etc) sharing permission, assign read/write to specific roles only.
  6. Add users with assigning roles required based on department they need to access.

This way if role_dept1 is set to access only index_dept1 and all dept1 related Splunk objects are assigned read/write only to role_dept1, then a user in role_dept1 (only ) can access dept related data/objects only.

View solution in original post

yoho
Contributor

We use both answers given previously:
1) Separate indexes for dept
2) Careful read/write permissions and index access
3) 1 app per dept

Step 3 is the most difficult because if you create apps for your departments, you will have to avoid too much difference between all these apps or it will become impossible to maintain. So we have created a "master" app that we customize department per department in a very strict way : basically, for each department, we remove the views they don't need.

0 Karma

dhavamanis
Builder

Thank you, can you please tell us, how to provide "Data inputs" access to user role.

0 Karma

somesoni2
Revered Legend

My Suggestion would be this.

  1. If possible, create a separate index for each department and index the data for a department into their specific index (e.g. index_deptname).
  2. Create separate role for each department (e.g. role_deptname).
  3. If you are able to create separate index for each department(in step1) then for each role set the "Indexes"/srchIndexesAllowed which are created specific for the department. (e.g. for role_dept1, only add index_dept1 as allowed index).
  4. If you're not creating separate index for each department, then for each role add the "Restrict search terms"/srchFilter to restrict the search to that particular department.
  5. For all splunk object's (searches/dashboards etc) sharing permission, assign read/write to specific roles only.
  6. Add users with assigning roles required based on department they need to access.

This way if role_dept1 is set to access only index_dept1 and all dept1 related Splunk objects are assigned read/write only to role_dept1, then a user in role_dept1 (only ) can access dept related data/objects only.

ecambra_splunk
Splunk Employee
Splunk Employee

What we have done is to create separate apps, we call them "workspaces", for each group. A Role is created for the group/department and assigned write access for their app. (this is done via the app management)

If the data for a group needs to be segmented we would create a separate index, the groups Role would then be given access to this index. (this is done via access controls)

You can learn more about assigning the permissions here. http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Aboutusersandroles

Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...