Security

How to restrict user access to a new index?

gurinderbhatti
Path Finder

i have a user access dilemma:
i have 10 indexes. index=index_a, index_b,index_c,index_d,index_e,index_f,index_g,index_h,index_i,index_k,index_l,index_m.

my normal userbase i gave them access via "srchIndexesAllowed = index_*"

now i created a new index, index= index_x, how do i make sure only admin or certain roles have access to it, because the index_* covers everything, and would cover this new index too, which i dont want.
Appreciate the answers in advance.

Runals
Motivator

I'm not sure of the backend field name but that appears to be using just restricted indexes. Have you looked into search time restrictions? I can't in good conscience mention that without also mentioning going that route introduces some PITA issues you wouldn't expect but also don't want to write them all out. We've had tickets that Splunk has largely ignored for almost 2 years on this. I think I made the mistake of categorizing them as enhancement requests vs bugs /sigh.

0 Karma

bandit
Motivator

You might look into securing access to indexes by using additional roles. One or more users could be a member of each role. Each role would grant access to a set of indexes or might only grant access to a single index.

This would likely require you to remove your wild card approach and remove index access granted to your user role. i.e. user role no longer gives access to indexes.

http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Aboutusersandroles

gurinderbhatti
Path Finder

i can do it, its just the convention we are, we'd like to stay with it. but if its a last resort, i might have to. I just thought i read something about being able to blacklist indexes so that a role cannot have access to it. was wondering if someone could give me a clear example of how to implement something like that. thx

0 Karma

yannK
Splunk Employee
Splunk Employee

The index list in the roles is the only secure way to go.
Remember that you can have role inheriting, so you could have a parent role with * and role with only_this_index, to simplify the management.

PS : the search filters conditions per roles not meant to restrict access, just add extra search conditions.

gurinderbhatti
Path Finder

thanks rob. We did it this way for scalability reasons, we actually have alot more than 10 indexes and everytime we add an index, we dont want to have to update the authorize.conf file to added it to the srchIndexesAllowed = path. since our naming convention of 'index_?' wont change, its better for us to leave it as a wildcard of index_*.
i was thinking along the lines of possibly putting in a blacklist for index_x, so that all indexes are searchable except those belonging to a blacklist....any thoughts?

0 Karma

bandit
Motivator

Ok, so your scenario is that most of the time all users are given access to all indexes and once in a while an index which has more sensitive event data comes along and you have to restrict it. Wondering if you just change your new index name to index-secure_x rather than index_x so it wouldn't match your pattern rule by default? I'm guessing here as I haven't tested wildcarding index access myself.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...