Security

How do I restrict which apps are visible to a specific AD group?

skrknick
Engager

Hi

I have set up an app that is only accessible to a certain AD group. There are a lot of apps on my Splunk instance which are not necessary for this user group. I don't want that group to be able to see the other apps on my Splunk instance. How do I restrict which apps are visible to certain AD groups?

0 Karma
1 Solution

thesplunkmonkey
Path Finder

In authorize.conf (or through UI) create a new role for your AD group to map to. In authentication.conf (or through UI) map that other AD group to that role that will be used to restrict access. This role will be different from YOUR role, which will not be restricted (I will assume the ADMIN role here) but you'll need to know your role as well.
authorize.conf

[role_admin]
#other configs that are relevant to your environment

[role_restricted_access_role_name]
importRoles = appropriate_roles_for_your_environment
#other configs that are relevant to your environment

authentication.conf

[roleMap_AD_Strategy_Name]
admin = YOUR_AD_GROUP_NAME
restricted_access_role_name = RESTRICTED_AD_GROUP_NAME

Then you'll need to set up metadata configs that will allow you to limit who can have read access in each of those apps. Inside of the app that you don't want to have this restricted group view, make a metadata folder, and then add a default.meta file.

$SPLUNK_HOME/etc/apps/RestrictedSearchHeadAppName/metadata/default.meta

 []
 access = read : [ admin, other_allowed_roles ], write : [ admin, other_allowed_roles ]

With the above configs, anyone in the admin and other_allowed_roles roles and associated AD groups would have both read and write access to the RestrictedSearchHeadAppName app, but anyone that is in the restricted_access_role_name role would not be able to access or even see that search head app.

View solution in original post

skrknick
Engager

Thank you all for answering my question. I see the answer was basically to just remove read access for my role to other access. Which I suppose makes a lot of sense. I accepted thsplunkmonkey's answer as it was the most detailed.

0 Karma

thesplunkmonkey
Path Finder

In authorize.conf (or through UI) create a new role for your AD group to map to. In authentication.conf (or through UI) map that other AD group to that role that will be used to restrict access. This role will be different from YOUR role, which will not be restricted (I will assume the ADMIN role here) but you'll need to know your role as well.
authorize.conf

[role_admin]
#other configs that are relevant to your environment

[role_restricted_access_role_name]
importRoles = appropriate_roles_for_your_environment
#other configs that are relevant to your environment

authentication.conf

[roleMap_AD_Strategy_Name]
admin = YOUR_AD_GROUP_NAME
restricted_access_role_name = RESTRICTED_AD_GROUP_NAME

Then you'll need to set up metadata configs that will allow you to limit who can have read access in each of those apps. Inside of the app that you don't want to have this restricted group view, make a metadata folder, and then add a default.meta file.

$SPLUNK_HOME/etc/apps/RestrictedSearchHeadAppName/metadata/default.meta

 []
 access = read : [ admin, other_allowed_roles ], write : [ admin, other_allowed_roles ]

With the above configs, anyone in the admin and other_allowed_roles roles and associated AD groups would have both read and write access to the RestrictedSearchHeadAppName app, but anyone that is in the restricted_access_role_name role would not be able to access or even see that search head app.

cesaccenturefed
Path Finder

You would edit your metadata on that app to read for the specific group as opposed to everyone. The assumption that the AD group is mapped to a specific role.

solarboyz1
Builder

You would map your AD groups to user roles (role=AD groups) .

Then in the App permissions, you would remove read access from "everyone" and assign it to only those roles (roles=AD groups) you want to have access to those app.

When you configure the role, you can set the default app for those users, indexes they can search, and capabilities.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Aboutusersandroles

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...