Security

How to limit access to specific events in a given index?

ctaf
Contributor

Hello,

I have an index named "email" which stores all my emails' information (mailfrom, mailto, subject, country, ...). I would like to limit the access to this index for different teams across the world. If an email is sent to the country Germany, I want the Germany team to have access only to email logs with the field "country" to "Germany".

Is it possible?

Thank you 🙂

0 Karma
1 Solution

jacobwilkins
Communicator

Don't do this. Speaking as an admin who has learned from experience, srchFilter looks like something that solves your problem, but it actually causes more in the long run.

If you MUST have this level of access control, create an email_ index for each country you deal with (sucks that you have to know them all in advance) and use index-time transforms to route the events. Apply ACLs at the index level.

Pretend that srchFilter doesn't exist. If you don't, one day you'll think to yourself, "that overly dramatic guy on Splunk Answers was right, I should not have used srchFilter."

View solution in original post

jacobwilkins
Communicator

Don't do this. Speaking as an admin who has learned from experience, srchFilter looks like something that solves your problem, but it actually causes more in the long run.

If you MUST have this level of access control, create an email_ index for each country you deal with (sucks that you have to know them all in advance) and use index-time transforms to route the events. Apply ACLs at the index level.

Pretend that srchFilter doesn't exist. If you don't, one day you'll think to yourself, "that overly dramatic guy on Splunk Answers was right, I should not have used srchFilter."

ctaf
Contributor

Ok... But what could go wrong?

0 Karma

ctaf
Contributor

up please 🙂

0 Karma

javiergn
SplunkTrust
SplunkTrust

Maybe the easiest way would be to use Search Filters within your role.
Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Security/Addandeditroles#Search_filter_format

For instance, when searching index email append "search Country = Germany" to the members of the German team, and so on.

The alternative is to use summary indexing and apply a different level of permissions there. In principle index level is the way you permission things in Splunk.

0 Karma

my2ndhead
SplunkTrust
SplunkTrust

Will only be secure for indexed fields. A user can always overwrite searchtime knowledge objects to circumvent the search filter.

ctaf
Contributor

So this filter is basically useless?
Maybe I could prevent the user to overwrite this object?

0 Karma

my2ndhead
SplunkTrust
SplunkTrust

You can't prevent users from creating private objects.

The filter may be useful when you want to filter on one of the indexes fields such as host, sourcetype or source.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...