Current setup:
1. We have created a dashboard having 10 different indexes. Each index holds the data for one single country.
2. There are 10 different Splunk roles which are mapped one to one with 10 indexes.
3. Authentication of users is done via LDAP group. 10 LDAP groups are mapped one to one with 10 Splunk roles.
4. Within Splunk dashboard query, users have choice of drop down menu to select country.
Below is the just for reference…..
1 INDEX_INDIA -> INDIA_SPLUNK_ROLE -> INDIA_SPLUNK_USERS
2 INDEX_CHINA ->CHINA_SPLUNK_ROLE-> CHINA_SPLUNK_USERS
3 INDEX_SINGAPORE->SINGAPORE_SPLUNK_ROLE->SING_SPLUNK_USERS
. .
. .
10 INDEX_JAPAN-> JAPAN_SPLUNK_ROLE-> JAPAN_SPLUNK_USERS
As per regulatory requirement, users from one country should not have access on the data of other country. Our application security team wants confirmation on below concerns:
1) Does the above setup guarantee that if INDIA user selects CHINA or any other country from dropdown menu, query will run but there will be no output on the dashboard?
2) If user modifies the url from the browser to point it to other country on which he do not have access, will Splunk skip role mapping and display output on the dashboard?
Please suggest any better access control model considering above mentioned setup.
Absolutely, since all your mappings are 1 to 1, it's as simple as it gets and as clear as possible.
index <-> role <-> ldap group
However, a role is associated with a set of indexes and only one app. So, I don't understand how it can be done...
So, you ask for -
index <-> role <-> ldap group and 1:N with the app
If we look at the interface, we see the association of the app to the role as 1:1 -
Association is 1:1 only.
There are 10 different LDAP groups. 10 different Splunk roles. And 10 different Indexes.
All are mapped one to one.
Right right - we can map multiple roles to the same app, as we do with the power user (to the same app as the regular user). Meaning roles to app is N:1. So, all should be just fine with your design ; -)