Hi,
We've got multiple user-related sourcetypes for things like internet browsing or file activity.
All of these have dedicated indexes that we have permissioned accordingly.
The problem now is that we've been told that certain managers will need to be able to use Splunk to "search" on their employees data and I have no idea how to do this.
Example:
Any ideas on how to do this?
Thanks,
Javier
What about this?
Create a set of reports for user activity but pipe them all to an AD lookup (i can use the ldap app for that) that takes the current user as an argument (rest command gives this) and returns a set of field=value pairs where field would be the name of the user field, and value would be the employee's name.
Then integrate all these reports into one dashboard to show managers and let them play with the data.
Again, some questions around this?
* Can i restrict users to only be able to use the dashboard and nothing else?
* I'm going to have to grant those users access to all the relevant indexes without user restrictions. How do I make sure they can't search outside my reports/dashboard and therefore, can not bypass the lookup?
Thanks,
Javier
Handling this would be a mess in a long run if its done on the user by user basis. To solve this what I did at my place was to integrate the data which Managers would need with the AD data. We basically pull the information on employee, Employee number, Manager, TeamName and use a lookup which will be populated once every week. So using this lookup we attached it to the userid in the data to the respective team and then assign each manager their respective teams. This solves the issue of you as an admin trying to add user Z later when a new employee comes under that team. Instead with the lookup being populated with a new user whenever they join the manager will automatically be able to see the data for that user.
But how do you make sure the manager can only search on his employees data.
Do you include the AD lookup to the restrict search terms form in the access control panel for the manager role?
Actually that's not going to work because restricted search teams does not support lookups
You can make it as an automatic lookup. It will work in the search once it an Automatic Lookup. If not.. you can still make it work by doing something like below in the search Criteria.
Sourcetype=ABC|lookup user.csv ID AS ID OUTPUTNEW DEPT AS DEPT|where DEPT=XYZ
Search terms in basically another search which will be the first part of the search when a user runs it. What ever that user executes will be appended to this search.
Can you apply automatic lookups to only certain roles?
Can normal users bypass the automatic lookup?