Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

User searching an index they do not have access to via an app or form

gn694
Communicator
‎05-30-2013 12:56 PM

I assume the answer is no, but wanted to ask to verify.

I do not want to give a user access to an index, because I do not want them to be able to search against it in the Search app. The user has the need to see only certain things in this index. I already have an app I created with a few search forms, which would allow the user to search for all info they need to see and nothing more.

Is there a way for searches within a search form to run with access to an index to which the logged in user does not have access to? Some kind of run as capability, or assigning an app or form to a Role with access to the index?

Tags (1)
0 Karma
Reply

triest
Communicator
‎10-01-2014 06:09 AM

With Splunk 6 this is fairly easy since there's been a change in the way permissions are applied; saved searches are executed with the permissions of their owner.

  1. Make sure the user doesn't have access to the index.
  2. Create a new user to act like a service account that has access to that index -- You may want to specify search time restrictions so they can only see the desired data in that index.
  3. Create a saved search as the service account that pulls just the data you want the user to see
  4. Use the saved search in your dashboard

Since the dashboard calls the saved search, it will (in Splunk 6) execute with the permissions of the owner, and you can create a dashboard based on data the user doesn't have access to.

0 Karma
Reply

yong_ly
Path Finder
‎07-21-2014 10:35 PM

An alternative is to give the user access to the index but restrict the search terms. Under the role settings you can specify a search string which will be run against any other searches that user does..

e.g. index=security host=myhostname

This will mean that the user can only find events for that host in the security index.

0 Karma
Reply

bmacias84
Champion
‎05-30-2013 03:35 PM

Use Saved Searches owned by system and call the save search in your App. That should work as long as realtime is not needed.

Reply

Ricapar
Communicator
‎05-30-2013 02:14 PM

Short answer: No

Long answer: Maybe. You can probably pull it off if you really wanted to. Though I can't speak for the security of the setup.

What I would try is to first limit the user's role to be as minimal as possible, and he/she can still use your form searches.

From there, I'd edit the Search app, and remove permissions to flashtimeline and the other "search" pages for that user's role.

Assuming the user is only in that role, you can permission off all the dashboards in Splunk so that the only thing the user is able to ever see are the dashboards you created.

Again, this banks on the fact that you're able to permission off any screens where you can run an ad-hoc search.

Alternatively, you could have the user not log into Splunk alltogether, and write something that uses the REST API to generate some charts/graphs on your own.

0 Karma
Reply

jonuwz
Influencer
‎05-31-2013 01:03 AM

And all of that is for nothing.
You cannot limit a user from creating a new report or dashboard.

If they can do that, they can trivially create a dashboard with a search timeline.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...