I created a user role that restricts search capabilities to certain sources, but there are fields I would like to hide from the user and exclude the _raw data. Is there a way to do this?
Edit: I've expanded this question and I may have found a partial solution, but I'm unable to restrict a user from searching data that I don't want them to.
Example event:
source=my_source user_id=123456 user_secret=99999999 login_status=successful
I restricted the search terms of the user role to source="my_source" user_id=123*
. In addition, I created calculated fields for user_secret
and _raw
and set the eval expression to null()
. This restricts the user to see only events in my_source
where the user_id
starts with 123 and hides the fields user_secret
and _raw
, but it doesn't prevent the user from being able search data that they are not privy to.
For example, this search
source=my_source 99999999 | table user_id login_status user_secret _raw
will return
user_id login_status user_secret _raw
123456 successful (null) (null)
Even though I've restricted the search and hide fields, a user would still be able to deduce that the secret for user 123456 is 99999999.
Am I missing something? Is there a way to limit which data/fields a user can search? Another possible solution is to create a separate index but that doesn't seem very efficient to me since data would be duplicated.
This is somewhat related to a separate question I asked Can users be restricted to only search data models?. I think this may be a viable solution as well.
Have a look at this question:
http://answers.splunk.com/answers/10582/permissions-on-indexes-and-sourcetypes.html
Thanks. I've already restricted the search in the user roles. However, the user is still able to see the raw event data which includes data I do not want them to see. For example: the search restriction is: source="my_source" user_id=123*
. This will only allow the user to search events in my_source where user_id starts with 123. However, there are additional fields in the event data such as user_secret
which I don't want to be visible to the user.
So you want to hide some fields which are within the _raw data?
Yes or hide the _raw data completely. Ideally, I only want a user to see data that I allow them to see.
I don't think Splunk permissions can function at that level.
Your best solution here might be to take your "complete" input, parse it into only the allowed fields, and output that into a different index. Then you can restrict those users to that new index, and they won't be exposed to any data they shouldn't see.
I think you are right. Creating a separate index may be the only way to accomplish this.