Splunk Search

Is there a way for different users/departments to only view their respective lookup files based on their assigned user roles?

Explorer

Hey Everyone,

I'd like to make sure that different user/department will only be able to view their respective lookup files. Is that possible?

This is how we design; we have Splunk doing all the searches on the dashboard.
1) We have a lookup file for user/department to add or change names of certain items. And these are classified items.
2) All the searches will be referring to the lookup file

As we will be assigning User Roles based on department so each department can only view their own data.
I'm not too sure if the department are able to view only their respective lookup file, or will they be able to view everyone else's lookup file as well?
If they are able to view other people's lookup files, is there a way to allow respective departments to view their respective lookup files only?

Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

The way I approached this in the past was in SQL:

  • Create SQL table with your all data and include a column that contains the username or department that is meant to have access to that
  • You might need to define another table with a list of departments and members of each department and then join both tables in order to expand which users will have effective access to each row
  • Build a query in Splunk that takes the actual username* and passes that information to the lookup so that your SQL query only returns rows where the column username matches the Splunk username more or less. Obviously you can configure this the way you want
  • Insert this query into a report/dashboard so that users can't modify what is doing

You can probably do the same using CSV files. I guess you would need a master CSV file with all your data and then append a column with users that can access each line.

I know it sounds overcomplicated but in our case it worked very when we dumped all our Active Directory usernames into SQL and calculated the management tree recursively in order to restrict managers from looking at data outside those they were managing.

Let me know if you want me explain this a bit more as it's been a while since I implemented it.

Thanks,
J

*

| rest /services/authentication/current-context | table username

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

The way I approached this in the past was in SQL:

  • Create SQL table with your all data and include a column that contains the username or department that is meant to have access to that
  • You might need to define another table with a list of departments and members of each department and then join both tables in order to expand which users will have effective access to each row
  • Build a query in Splunk that takes the actual username* and passes that information to the lookup so that your SQL query only returns rows where the column username matches the Splunk username more or less. Obviously you can configure this the way you want
  • Insert this query into a report/dashboard so that users can't modify what is doing

You can probably do the same using CSV files. I guess you would need a master CSV file with all your data and then append a column with users that can access each line.

I know it sounds overcomplicated but in our case it worked very when we dumped all our Active Directory usernames into SQL and calculated the management tree recursively in order to restrict managers from looking at data outside those they were managing.

Let me know if you want me explain this a bit more as it's been a while since I implemented it.

Thanks,
J

*

| rest /services/authentication/current-context | table username

View solution in original post

0 Karma

Explorer

Thanks javiergn,

Yeah, i'll appreciate if you can explain more to me. Your suggestion sound less painful in the long run.

But i've a little issue here, i dont have a database. All the incoming data are syslog and pass directly to Splunk to process. Maybe your SQL quey methods will still works and i'm willing to give it a shot.

what your email or you can drop me an email @ p.zhao.y@gmail.com and we can discuss more from there.

Thanks

0 Karma

SplunkTrust
SplunkTrust

Hi,

If you can't easily import the files into SQL then the suggestion @jkat54 made is probably better:

  • Create one app per department
  • Grant that department access to the app
  • Place each CSV within the context of its respective application. You can even use the same names

Another alternative is to have a master CSV file in the same way as I suggested within SQL:

  • This master CSV file will contain all your data and also one or two more columns with the department and username that can see every row.
  • Create an app for all your users in order to have a more granular access control
  • Then create a dashboard/report that runs your lookup against the csv file and filters (using search or where) those results based on the name of the current user.
  • You also need to ensure those users can't run custom searches (disable the search view for them) outside your dashboard or modify the dashboard/report, otherwise they'll be able to see the whole file

Does that make sense?

0 Karma

Explorer

Thanks,

Yeah, it does make sense. I've a talk with my guys over the week and they said @jkat54 suggestion is prob the easiest way to go ahead.

As for creating of app, assuming if i've 100 departments, I'll have to create 100 apps, will that affect the performance?

As for searches, we have remove the view and everything is all run on background.

0 Karma

SplunkTrust
SplunkTrust

Hi,

An app by itself does not have an impact in performance. It all depends on what the app is doing. An app is just a bunch of config files pretty much, if the app is not running any background searches or something like that, the impact shouldn't be noticeable.

The only problem I see with 100 apps is from a GUI point of view. If you have access to 100 apps because you are a power user or admin, then you'll see 100 icons in your home page. Your home page is customisable anyway.

Managing those 100 apps could be a problem too if they are very different to each other. If not you can always script the creation.

0 Karma

Explorer

Hi,

not too sure if this is allow but since we're taking about performance.

But I'm running 12 background searches, of which;
There are 10 searches that are calculating Averages:
And 7 that are calculating Total/Sum
Some of the charts are running both Total/Sum and Average.

I'm just wondering if there is any ways i can check and see which searches are affecting the performance, as the latest version is very laggy as compared to my previous version.

Thanks

0 Karma

SplunkTrust
SplunkTrust

You can click on the Activity tab and then Jobs to see the list of tasks currently running and some performance stats. You can use tools such as Splunk On Splunk if you want more details, but if this is still a problem I would recommend posting a new question about it as it'll reach more people.

THanks,
J

0 Karma

SplunkTrust
SplunkTrust

I think you will need to create a lookup for each department, and use metadata/local to specify which roles have access to which lookups. Insure that each role only has access to 1 lookup via these permissions, and then configure the dashboard to |inputlookup lookupBaseName* where * will be a wildcard for the users name or department name.

So you'll have these lookups

lookupBaseNameSales.csv
lookupBaseNameEngineering.csv
lookupBaseNameExecs.csv

And since the user executing the search will only have access to one, they'll get the expected results.

If this doesnt work then they'll all need their own copy of the application with their own lookups and you can name the application the same but keep in different folders

...etc/apps/ApplicationNamesales
...etc/apps/ApplicationName
engineering

Then only give read to appropriate users and the dashboards can have the same lookup names. Effectively creating multiple copies of the same app with different lookups and different users accessing each.

0 Karma

Explorer

Thanks jkat54,

But i'll need them to access their respective lookup file and make changes, if necessary.
You suggested Read-Only, not too sure that will work.

My main worry is only let respective Department view their respective lookup, I'm afraid of overlap here or how can Splunk handle that.

0 Karma

Explorer

@jkat54
Hey jkat54, I'm wondering if you're free to discuss about working on splunk project?
I've a Splunk Project but i'm looking for a Splunk Consultant to carry on working onto the next step.

If you're interested, drop me an email @ gambit_remy08@hotmail.com ....

0 Karma