Solved: restrict a role by source IP

Andre_

Hello,

is it possible to restrict Splunk roles by source IP?

example:
Splunk role: my_user_role, allowed source IPs 172.16.0.0/16
Splunk role: my_admin_role, allowed source IPs 192.168.1.5, 192.168.1.6

Kind Regards
Andre

PickleRick

Not directly. You could do something like that with SAML probably if your identity provider could allow/deny login based on IP-criteria. But be aware that even then it would only work during the initial login. If the user switched to another network while having a logged-in session, he would still be logged in with his role.

View solution in original post

kiran_panchavat

@Andre_

No Splunk has no controls based on network source. Only user to role mapping. This is not doable in the Splunk server configuration.

But a common and effective way to restrict access to Splunk roles based on source IP is to place Splunk behind a reverse proxy (e.g., Apache or NGINX) and configure the proxy to handle IP-based restrictions.

However, I haven’t experimented with this approach yet.

Define roles on the Splunk platform with capabilities - Splunk Documentation

About configuring role-based user access - Splunk Documentation

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Andre_

@kiran_panchavat,

that doesn't work for us, we need role restriction by IP not service or server restriction.

Kind Regards,

Andre

isoutamo

Maybe you should create an idea for that in ideas.splunk.com?

Andre_

EID-I-2530

PickleRick

Again - you're talking about a completely different thing.

One thing is general IP-based restrictions - this you can do on a reverse-proxy or even directly on Splunk server itself using access rules for ports.

Another thing is restricting given roles or users to specific IP-s. Again - this could also be done if the proxy was acting as an SSO source for Splunk but that is as tricky as any other SSO and still you could easily "escape" this IP-restriction after initial login.

kiran_panchavat

Splunk doesn’t do IP-based restrictions natively, it’s all user-to-role mapping.. They’d need a reverse proxy like NGINX to restrict by IP, but that’s outside Splunk itself. Mixing the two is a category error.

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

PickleRick

Splunk server is not the same as the Splunk software running on it. You can limit connectivity on the Splunk server using iptables/firewalld/Windows Firewall...

PickleRick

Not directly. You could do something like that with SAML probably if your identity provider could allow/deny login based on IP-criteria. But be aware that even then it would only work during the initial login. If the user switched to another network while having a logged-in session, he would still be logged in with his role.

Andre_

Thank you @PickleRick ,

I think that would work for us, we have SAML and limit it to Kerberos only. This should prevent taking your session with you from from one network segment to another (network segments are different AD Domains too).

With SAML auth, can you still manage the role assignments from Splunk, like AD Group -> role, or does that need to be done on the SAML provider?

Kind Regards

Andre

restrict a role by source IP

administration

configuration

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?