Getting Data In

Managers need limited access to Splunk in order to see their employee's activity

javiergn
SplunkTrust
SplunkTrust

Hi,

We've got multiple user-related sourcetypes for things like internet browsing or file activity.
All of these have dedicated indexes that we have permissioned accordingly.

The problem now is that we've been told that certain managers will need to be able to use Splunk to "search" on their employees data and I have no idea how to do this.

Example:

  • Manager ABC has three employees: E1, E2, E3
  • When manager logs into Splunk we want to restrict his searches in such a way that the only data displayed is that related to E1, E2 and E3
  • If the manager searches for "index=internetlogs sourcetype=bla", the query should be translated internally to "index=internetlogs sourcetype=bla (user=E1 OR user=E2 OR user=E3)"
  • But other sourcetypes might have different names for their username field: user, username, employee, etc etc

Any ideas on how to do this?

Thanks,
Javier

0 Karma

javiergn
SplunkTrust
SplunkTrust

What about this?
Create a set of reports for user activity but pipe them all to an AD lookup (i can use the ldap app for that) that takes the current user as an argument (rest command gives this) and returns a set of field=value pairs where field would be the name of the user field, and value would be the employee's name.

Then integrate all these reports into one dashboard to show managers and let them play with the data.

Again, some questions around this?
* Can i restrict users to only be able to use the dashboard and nothing else?
* I'm going to have to grant those users access to all the relevant indexes without user restrictions. How do I make sure they can't search outside my reports/dashboard and therefore, can not bypass the lookup?

Thanks,
Javier

0 Karma

theouhuios
Motivator

Handling this would be a mess in a long run if its done on the user by user basis. To solve this what I did at my place was to integrate the data which Managers would need with the AD data. We basically pull the information on employee, Employee number, Manager, TeamName and use a lookup which will be populated once every week. So using this lookup we attached it to the userid in the data to the respective team and then assign each manager their respective teams. This solves the issue of you as an admin trying to add user Z later when a new employee comes under that team. Instead with the lookup being populated with a new user whenever they join the manager will automatically be able to see the data for that user.

0 Karma

javiergn
SplunkTrust
SplunkTrust

But how do you make sure the manager can only search on his employees data.
Do you include the AD lookup to the restrict search terms form in the access control panel for the manager role?

0 Karma

javiergn
SplunkTrust
SplunkTrust

Actually that's not going to work because restricted search teams does not support lookups

0 Karma

theouhuios
Motivator

You can make it as an automatic lookup. It will work in the search once it an Automatic Lookup. If not.. you can still make it work by doing something like below in the search Criteria.

Sourcetype=ABC|lookup user.csv ID AS ID OUTPUTNEW DEPT AS DEPT|where DEPT=XYZ

Search terms in basically another search which will be the first part of the search when a user runs it. What ever that user executes will be appended to this search.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Can you apply automatic lookups to only certain roles?
Can normal users bypass the automatic lookup?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...