Security

Tuning security in enterprise

brettcave
Builder

I am trying to configure explicit information access based on roles in Splunk Enterprise.

I have configured a number of event types and field extractions. Is it possible to configure access to an event type, but not allow access to 1 field in a multi-field matcher? e.g. below to illustrate what I am trying to achieve:

event type "SomeInfo" search term: "SomeInfo: "
field extractor "InfoExtr" regex:   aField: (?P<FieldA>[^,]+), bField: (?P<FieldB>[^,]+), cField: (?P<FieldC>[^,]+)
log example: SomeInfo: aField: foo, bField: bar, cField: 99

I would like to allow a role to access FieldA and FieldB, but not FieldC. Is this possible?

I have the following in the Restrict search Terms: (eventtype="SomeInfo" OR eventtype="Other"). I have tried adding (NOT FieldC) (doesn't filter) or (NOT FieldC="*") (filters entire event).

Tags (1)
0 Karma
1 Solution

rtadams89
Contributor

I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.

View solution in original post

rtadams89
Contributor

I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.

brettcave
Builder

thanks, that makes sense, nice approach.

0 Karma

brettcave
Builder

doesn't look like it.

0 Karma

brettcave
Builder

assuming this isn't possible?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...