Best strategy for user isolation?

Jason · ‎05-18-2010

Is there a way to completely isolate a user, so that they can only see themselves as a user and only their host - no other hosts, users, or apps?

Can this be done in the Search app or would it have to be a custom app build, and if so would it have to be one per user?

Mick · ‎05-18-2010

It can't be easily done in the search app without significant modification, so that it would pretty much become a custom app anyway.

Splunk doesn't really cater for per-user settings and permissions, instead it's geared towards roles for groups of users. If every user has individual data requirements, and you need them to be strict enough so that users can only see their data and nothing else, then you'll likely end up with a role for each user, and an app for each role.

the_wolverine · ‎05-18-2010

Yes, this is possible with some planning.

By default, a non-Admin Splunk user will not be able to see other users.

You can configure a custom role that is only able to access a custom index which accepts only data for a certain host.

You can also prevent apps from being viewable by certain roles by setting App permissions in UI or by editing default.meta:

http://www.splunk.com/base/Documentation/latest/Developer/Step5SetPermissions

Best strategy for user isolation?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!