Hi all,
I'm developing an app for use across different teams at my company. We have certain security restrictions about what logs each team can see. So, team A might be permissioned to see every log statement, while team B will only be allowed to see logs related to a certain server.
I have a lookup table that determines which servers each employee is permissioned to and I'd like to restrict their searches based on this. Does anyone know of a way I can do this?
Please note that all of these logs are going to the same index. They are all the same type of log, just a different server.
Thanks!
In authorize.conf, there is a setting: srchFilter =
|rest /services/authentication/current-context | table username | lookup user_auths.csv user AS username OUTPUT host | table host | format "" "(" "OR" ")" "" ""
Replace "user_auths.csv" with your lookup name or filename. Update the "user" field to be whatever is listed in that csv.
More information on search filters is here http://docs.splunk.com/Documentation/Splunk/6.1.2/Security/Addandeditroles#Search_filter_format
In authorize.conf, there is a setting: srchFilter =
|rest /services/authentication/current-context | table username | lookup user_auths.csv user AS username OUTPUT host | table host | format "" "(" "OR" ")" "" ""
Replace "user_auths.csv" with your lookup name or filename. Update the "user" field to be whatever is listed in that csv.
Create a macro to get the filter to be used for host based on your lookup and then use this macro as search filter in the team's role definition.