Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to best manage AD groups, users, roles and index access?

Jamie
Path Finder
‎11-22-2021 08:41 AM

Hello.

I have two indexes and three users.  Each user is in specific AD group.  Each group is mapped to a respective role.  Each role gives access to a specific index(es).

user_a can only search index_a, user_b only index_b and user_c can search both.  Restricting access to indexes is important.

Indexes
index_a
index_b

AD group
user_idx_a (user_a is a member)
user_idx_b (user_b is a member)
user_idx_all (user_c is a member)

Users and roles
user_a has role role_a
user_b has role role_b
user_c has role role_c

authorize.conf

[role_role_a]
importRoles = user
srchIndexesDefault = index_a
srchIndexesDisallowed = index_b

[role_role_b]
importRoles = user
srchIndexesDefault = index_b
srchIndexesDisallowed = inbex_a

[role_role_c]
importRoles = user

That's all fine. But as more indexes are added, I wonder how this will scale, especially where, for example, user_d needs access to newly created index_d, plus say index_a.  I will now need a new AD group (user_idx_d), a new role (role_role_a_d) and a suitable entry in authorize.conf

I've gained some mileage from putting index restrictions on the inherited (user) role.  For example:

[role_user]
srchIndexesDisallowed = main;splunklogger;summary

I had thought I would put users in multiple AD groups, but whilst membership brings a new role / index, it also means I end up with conflicting 'disallowed' directives.

Is there a better way?  Or have I reduced the administration to the minimum whilst maintaining index access granularity?

Many thanks.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

Anton
Explorer
‎11-22-2023 06:30 PM

Hi, 

My company also faced the same issue. Splunk have a very restricted way of doing RBAC. Until now they do not have any fixes on this. Do you have any luck on this thus far? 

Regards,

Anton

Anton Yeo 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-24-2023 05:21 AM

Hi

you should found answer to your issue from this conf presentation.

https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=PLA1169B#/

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...