I was hoping to pick the brains of the community here to see what larger companies are doing when it comes to roles/capabilities and authentication.
I inherited Splunk at my company, as well as about 100+ ldap groups along with it. Essentially the way that the previous admins handled authentication and data onboarding is as follows:
Each group that comes to us to onboard data gets an index, or several depending on the data we are ingesting
That group gets 4 LDAP groups created for them, 2 'user' level groups, and 2 'power' level groups, one for our test environment, and one for the production environment
That LDAP group, only has access to the index that the group owns
The group selects a primary owner of the LDAP group, and a secondary owner of the LDAP group
That group handles the approval of new users to the ldap group
After speaking to a few people at conf, I realized that this might not be the best strategy as it really silo's the data and prevents data collaboration. For users to access other indexes, they need to request to be added to the appropriate ldap groups for that data. That request could take several days.
Another problem that we have encountered with this is that suddenly various groups have added splunk related LDAP groups to their 'onboarding roles'. That means as new people enter their team, they suddenly have either usr or power roles into splunk, without really either needing it, or having proper training.
I was wondering what other enterprise users are doing when it comes to authentication. In my head I imagine just a handful of roles, each with a different level of access. For example, a very very low level role that has low search limits, and access to non-sensitive indexes. We then have different ldap groups for different 'levels' of access, and depending on what data each index has, that index belongs to a certain level (imagine a bronze, silver, gold) level access. The top-most group I imagine would be the one that has access to nearly all data, which would probably be our network and security teams.
Any and all input would be useful!!
... View more