Splunk Enterprise Security

How do I restrict permission on a particular source inside of an index instead of from the whole index?

akchauhan
Explorer

Hi

I have an index named "xyz" and inside that, I have data from different sources (a,b,c etc). I want to restrict permission on index=xyz source=a instead of the whole index. Is this possible to do? If yes, how can i do it?

please help.

0 Karma
1 Solution

maciep
Champion

Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Aboutusersandroles

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Addandeditroles#Search_filter_format

View solution in original post

woodcock
Esteemed Legend

There is nothing that cannot be trivially bypassed. You can send the data twice (double license hit) once to the everybody index and once (filtered to remove source=a) to the somebodies index. Or you can use ... | NOT source=a | collect in a scheduled search to a summary index (free).

0 Karma

maciep
Champion

Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Aboutusersandroles

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Addandeditroles#Search_filter_format

View solution in original post

akchauhan
Explorer

I was able to do this by using search filter but I would suggest to get data in separate index and restrict permission on that instead of source level. Restricting permission at source level is very difficult to maintain in long run and is little complicated.

0 Karma

starcher
SplunkTrust
SplunkTrust

Not effectively no. Index is the fundamental ACL boundary.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.