Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

restrict a role by source IP

Andre_
Path Finder
‎03-20-2025 05:29 PM

Hello, 

is it possible to restrict Splunk roles by source IP?

example:
Splunk role: my_user_role, allowed source IPs 172.16.0.0/16
Splunk role: my_admin_role, allowed source IPs 192.168.1.5, 192.168.1.6

Kind Regards
Andre

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-20-2025 11:31 PM

Not directly. You could do something like that with SAML probably if your identity provider could allow/deny login based on IP-criteria. But be aware that even then it would only work during the initial login. If the user switched to another network while having a logged-in session, he would still be logged in with his role.

View solution in original post

Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-21-2025 01:19 AM

@Andre_ 

No Splunk has no controls based on network source. Only user to role mapping.  This is not doable in the Splunk server configuration. 

But a common and effective way to restrict access to Splunk roles based on source IP is to place Splunk behind a reverse proxy (e.g., Apache or NGINX) and configure the proxy to handle IP-based restrictions.
 
However, I haven’t experimented with this approach yet. 
 

Define roles on the Splunk platform with capabilities - Splunk Documentation 

About configuring role-based user access - Splunk Documentation

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

Andre_
Path Finder
‎03-23-2025 03:12 PM

@kiran_panchavat,

that doesn't work for us, we need role restriction by IP not service or server restriction.

Kind Regards,

Andre

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎03-23-2025 03:34 PM
Maybe you should create an idea for that in ideas.splunk.com?
Reply
Solved! Jump to solution

Andre_
Path Finder
‎03-23-2025 03:44 PM

EID-I-2530

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-21-2025 04:42 AM

Again - you're talking about a completely different thing.

One thing is general IP-based restrictions - this you can do on a reverse-proxy or even directly on Splunk server itself using access rules for ports.

Another thing is restricting given roles or users to specific IP-s. Again - this could also be done if the proxy was acting as an SSO source for Splunk but that is as tricky as any other SSO and still you could easily "escape" this IP-restriction after initial login.

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎03-21-2025 05:17 AM
Splunk doesn’t do IP-based restrictions natively, it’s all user-to-role mapping.. They’d need a reverse proxy like NGINX to restrict by IP, but that’s outside Splunk itself. Mixing the two is a category error. 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-21-2025 10:14 AM

Splunk server is not the same as the Splunk software running on it. You can limit connectivity on the Splunk server using iptables/firewalld/Windows Firewall...

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-20-2025 11:31 PM

Not directly. You could do something like that with SAML probably if your identity provider could allow/deny login based on IP-criteria. But be aware that even then it would only work during the initial login. If the user switched to another network while having a logged-in session, he would still be logged in with his role.

Reply
Solved! Jump to solution

Andre_
Path Finder
‎03-23-2025 03:10 PM

Thank you @PickleRick ,

I think that would work for us, we have SAML and limit it to Kerberos only. This should prevent taking your session with you from from one network segment to another (network segments are different AD Domains too).

With SAML auth, can you still manage the role assignments from Splunk, like AD Group -> role, or does that need to be done on the SAML provider?

Kind Regards

Andre

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...