Security
Highlighted

user role and permission

Builder

We have multiple department and its data indexed into splunk indexer, how can we define roles / permission to access their specific department content / search / indexes / sourcetype. if a user "A", belong to department "D1" and "D2", User "A" should have only permission to their SourceType / content / search / dashboard belongs "D1" and "D2".

Can you please suggest the optimized solution for this in splunk user management?.

Tags (2)
0 Karma
Highlighted

Re: user role and permission

Splunk Employee
Splunk Employee

What we have done is to create separate apps, we call them "workspaces", for each group. A Role is created for the group/department and assigned write access for their app. (this is done via the app management)

If the data for a group needs to be segmented we would create a separate index, the groups Role would then be given access to this index. (this is done via access controls)

You can learn more about assigning the permissions here. http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Aboutusersandroles

Highlighted

Re: user role and permission

SplunkTrust
SplunkTrust

My Suggestion would be this.

  1. If possible, create a separate index for each department and index the data for a department into their specific index (e.g. index_deptname).
  2. Create separate role for each department (e.g. role_deptname).
  3. If you are able to create separate index for each department(in step1) then for each role set the "Indexes"/srchIndexesAllowed which are created specific for the department. (e.g. for roledept1, only add indexdept1 as allowed index).
  4. If you're not creating separate index for each department, then for each role add the "Restrict search terms"/srchFilter to restrict the search to that particular department.
  5. For all splunk object's (searches/dashboards etc) sharing permission, assign read/write to specific roles only.
  6. Add users with assigning roles required based on department they need to access.

This way if roledept1 is set to access only indexdept1 and all dept1 related Splunk objects are assigned read/write only to roledept1, then a user in roledept1 (only ) can access dept related data/objects only.

View solution in original post

Highlighted

Re: user role and permission

Builder

Thank you, can you please tell us, how to provide "Data inputs" access to user role.

0 Karma
Highlighted

Re: user role and permission

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: user role and permission

Contributor

We use both answers given previously:
1) Separate indexes for dept
2) Careful read/write permissions and index access
3) 1 app per dept

Step 3 is the most difficult because if you create apps for your departments, you will have to avoid too much difference between all these apps or it will become impossible to maintain. So we have created a "master" app that we customize department per department in a very strict way : basically, for each department, we remove the views they don't need.

0 Karma