Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to best manage AD groups, users, roles and index access?

Jamie
Path Finder
‎11-22-2021 08:41 AM

Hello.

I have two indexes and three users.  Each user is in specific AD group.  Each group is mapped to a respective role.  Each role gives access to a specific index(es).

user_a can only search index_a, user_b only index_b and user_c can search both.  Restricting access to indexes is important.

Indexes
index_a
index_b

AD group
user_idx_a (user_a is a member)
user_idx_b (user_b is a member)
user_idx_all (user_c is a member)

Users and roles
user_a has role role_a
user_b has role role_b
user_c has role role_c

authorize.conf

[role_role_a]
importRoles = user
srchIndexesDefault = index_a
srchIndexesDisallowed = index_b

[role_role_b]
importRoles = user
srchIndexesDefault = index_b
srchIndexesDisallowed = inbex_a

[role_role_c]
importRoles = user

That's all fine. But as more indexes are added, I wonder how this will scale, especially where, for example, user_d needs access to newly created index_d, plus say index_a.  I will now need a new AD group (user_idx_d), a new role (role_role_a_d) and a suitable entry in authorize.conf

I've gained some mileage from putting index restrictions on the inherited (user) role.  For example:

[role_user]
srchIndexesDisallowed = main;splunklogger;summary

I had thought I would put users in multiple AD groups, but whilst membership brings a new role / index, it also means I end up with conflicting 'disallowed' directives.

Is there a better way?  Or have I reduced the administration to the minimum whilst maintaining index access granularity?

Many thanks.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

Anton
Explorer
2 weeks ago

Hi, 

My company also faced the same issue. Splunk have a very restricted way of doing RBAC. Until now they do not have any fixes on this. Do you have any luck on this thus far? 

Regards,

Anton

Anton Yeo 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
a week ago

Hi

you should found answer to your issue from this conf presentation.

https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=PLA1169B#/

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...