Security

user role and permission

dhavamanis
Builder

We have multiple department and its data indexed into splunk indexer, how can we define roles / permission to access their specific department content / search / indexes / sourcetype. if a user "A", belong to department "D1" and "D2", User "A" should have only permission to their SourceType / content / search / dashboard belongs "D1" and "D2".

Can you please suggest the optimized solution for this in splunk user management?.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

My Suggestion would be this.

  1. If possible, create a separate index for each department and index the data for a department into their specific index (e.g. index_deptname).
  2. Create separate role for each department (e.g. role_deptname).
  3. If you are able to create separate index for each department(in step1) then for each role set the "Indexes"/srchIndexesAllowed which are created specific for the department. (e.g. for role_dept1, only add index_dept1 as allowed index).
  4. If you're not creating separate index for each department, then for each role add the "Restrict search terms"/srchFilter to restrict the search to that particular department.
  5. For all splunk object's (searches/dashboards etc) sharing permission, assign read/write to specific roles only.
  6. Add users with assigning roles required based on department they need to access.

This way if role_dept1 is set to access only index_dept1 and all dept1 related Splunk objects are assigned read/write only to role_dept1, then a user in role_dept1 (only ) can access dept related data/objects only.

View solution in original post

yoho
Contributor

We use both answers given previously:
1) Separate indexes for dept
2) Careful read/write permissions and index access
3) 1 app per dept

Step 3 is the most difficult because if you create apps for your departments, you will have to avoid too much difference between all these apps or it will become impossible to maintain. So we have created a "master" app that we customize department per department in a very strict way : basically, for each department, we remove the views they don't need.

0 Karma

dhavamanis
Builder

Thank you, can you please tell us, how to provide "Data inputs" access to user role.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My Suggestion would be this.

  1. If possible, create a separate index for each department and index the data for a department into their specific index (e.g. index_deptname).
  2. Create separate role for each department (e.g. role_deptname).
  3. If you are able to create separate index for each department(in step1) then for each role set the "Indexes"/srchIndexesAllowed which are created specific for the department. (e.g. for role_dept1, only add index_dept1 as allowed index).
  4. If you're not creating separate index for each department, then for each role add the "Restrict search terms"/srchFilter to restrict the search to that particular department.
  5. For all splunk object's (searches/dashboards etc) sharing permission, assign read/write to specific roles only.
  6. Add users with assigning roles required based on department they need to access.

This way if role_dept1 is set to access only index_dept1 and all dept1 related Splunk objects are assigned read/write only to role_dept1, then a user in role_dept1 (only ) can access dept related data/objects only.

ecambra_splunk
Splunk Employee
Splunk Employee

What we have done is to create separate apps, we call them "workspaces", for each group. A Role is created for the group/department and assigned write access for their app. (this is done via the app management)

If the data for a group needs to be segmented we would create a separate index, the groups Role would then be given access to this index. (this is done via access controls)

You can learn more about assigning the permissions here. http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Aboutusersandroles

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...