Solved: Re: Role based data masking in splunk 6.0.1?

krish3 · ‎02-06-2014

Hi,

I need to know is it role based data masking is possible in 6.0.1? If yes then please let me know what are the possible ways.

And below are some methods which i already gone through:

1. Creating separate index for masked data.
2. Index time masking which I don't need to use. Because the fields masked should be able to view by some groups/roles.

In any other ways if it is possible to mask values for only certain user. Please let me know It would be a great help.. Thanks...

martin_mueller · ‎02-06-2014

I don't think there's any way of forcing role-based searchtime data masking. Thinking about the search performance implications, there would be endless pitfalls.

You can however make indextime masking convenient for role-based use. Say you have two roles, myusers and myusers_masked. Set up pairs of indexes called myindex and myindex_masked, and set visibilities by roles accordingly. Index cleartext data into one index, masked data into the other. Make all searches refer to the indexes by index=myindex* rather than specifying one or the other explicitly. Then, whenever a user runs such a search, he will be provided with cleartext or masked data according to his role.

View solution in original post

niketn · ‎06-24-2018

@krish3, @salem34, @venkatpotru, SED/anonymization can be applied at search time. However, as @martin_mueller has mentioned will have definite impact to search query performance. Following is a simple run anywhere example which Masks a portion of email if the logged-in user is Non-Admin otherwise displays the complete email (i.e. for admin users). The token can be set and applied to all existing searches where-ever required.

PS: This example has been created on logic similar to one of my previous answers to enable/disable controls in a Dashboard based on logged in user's role: https://answers.splunk.com/answers/575377/can-i-restrict-permissions-for-the-text-box-drilld.html

<dashboard>
  <label>Apply SED based on Role</label>
  <init>
    <set token="tokApplySedOnEmail">rex field=email mode=sed "s/([^\@]+)(\@.*)/XXXX\2/g"</set>
    <set token="tokRole">user</set>
  </init>
  <!-- Independent Query to find logged in User Role and set tokens accordingly -->
 <search id="baseUserRolesRESTSearch">
   <query>| rest splunk_server=local /services/authentication/current-context 
| table roles
| search roles="admin"
     </query>
     <done>
       <!-- For Non-Admin SED should be used to anonymize email -->
       <condition match="$job.resultCount$==0">
         <set token="tokApplySedOnEmail">rex field=email mode=sed "s/([^\@]+)(\@.*)/XXXX\2/g"</set>
         <set token="tokRole">user</set>
       </condition>
       <!-- For Admin no SED-->
       <condition>
         <!-- comment() macro creates a comment in SPL. Refer to documentation https://docs.splunk.com/Documentation/Splunk/latest/Search/Addcommentstosearches#Using_the_comment_m....
         PS: If comment macro has not been created/made global in the Search app in Splunk, this macro will throw permission error.-->
         <set token="tokApplySedOnEmail">`comment("DO NOT MASK EMAIL")`</set>
         <set token="tokRole">admin</set>
       </condition>
   </done>
 </search>
  <row>
    <panel>
      <title>Email Address Based On Role</title>
      <table>
        <title>$tokRole$ - $tokApplySedOnEmail$</title>
        <search>
          <query>| makeresults
| eval email="someone@somwhere.com"
| $tokApplySedOnEmail$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

PS: I have tested the code by changing independent search filter from | search roles="admin" to | search NOT roles="admin". However, the same should be tested with two different roles and role name should be as per your need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

martin_mueller · ‎06-25-2018

That's a nice UI gimmick, but it's not secure. Anyone could run a different search and see the whole data.

venkatpotru · ‎06-29-2018

Thanks for the inputs @niketnilay and @martin_mueller

venkatpotru · ‎06-24-2018

Is there a better option in 7.1.1? or in 7.1.1 also, only solution is to set up two indexes for same field, one with masked data and other with unmasked data, each with different role access?

martin_mueller · ‎06-25-2018

If you want security for your data and individual searching, different indexes is the way to go. If you just want a dashboard to look nice without actual security you can go niket's way. If you want low privilege users to get a limited view into high privilege data you can give them prepared saved searches that run as a higher privilege owner.

martin_mueller · ‎02-06-2014

I don't think there's any way of forcing role-based searchtime data masking. Thinking about the search performance implications, there would be endless pitfalls.

You can however make indextime masking convenient for role-based use. Say you have two roles, myusers and myusers_masked. Set up pairs of indexes called myindex and myindex_masked, and set visibilities by roles accordingly. Index cleartext data into one index, masked data into the other. Make all searches refer to the indexes by index=myindex* rather than specifying one or the other explicitly. Then, whenever a user runs such a search, he will be provided with cleartext or masked data according to his role.

salem34 · ‎05-11-2017

Im just wondering whether there is still no way to do that at search time in splunk 6.6x - having 20gb of daily logs to anonymize makes the double index path quite painful when it comes to license fees. I start playing around with collect command searches to write out the masked raw data to a summary index but i dont think that this solution is very stable as you have to build a mechanism to avoid duplicates and guarantee ongoing events.
Any other ideas?

martin_mueller · ‎02-07-2014

That could be a concern if you're the one paying for the license, yeah... have you considered using clever summary indexing after the first indexing rather than cloning before the first indexing?

krish3 · ‎02-07-2014

Hi martin,

I agree with your point but what my concern is indexing same data twice might need us to pay more for license.. 🙂

Role based data masking in splunk 6.0.1?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?