Dashboards & Visualizations

Is my setup for authentication and access control on data within different indexes and same dashboard appropriate?

anantdeshpande
Path Finder

Current setup:
1. We have created a dashboard having 10 different indexes. Each index holds the data for one single country.
2. There are 10 different Splunk roles which are mapped one to one with 10 indexes.
3. Authentication of users is done via LDAP group. 10 LDAP groups are mapped one to one with 10 Splunk roles.
4. Within Splunk dashboard query, users have choice of drop down menu to select country.

Below is the just for reference…..

1 INDEX_INDIA -> INDIA_SPLUNK_ROLE -> INDIA_SPLUNK_USERS
2 INDEX_CHINA ->CHINA_SPLUNK_ROLE-> CHINA_SPLUNK_USERS
3 INDEX_SINGAPORE->SINGAPORE_SPLUNK_ROLE->SING_SPLUNK_USERS
. .

. .

10 INDEX_JAPAN-> JAPAN_SPLUNK_ROLE-> JAPAN_SPLUNK_USERS

As per regulatory requirement, users from one country should not have access on the data of other country. Our application security team wants confirmation on below concerns:
1) Does the above setup guarantee that if INDIA user selects CHINA or any other country from dropdown menu, query will run but there will be no output on the dashboard?
2) If user modifies the url from the browser to point it to other country on which he do not have access, will Splunk skip role mapping and display output on the dashboard?

Please suggest any better access control model considering above mentioned setup.

0 Karma

ddrillic
Ultra Champion

Absolutely, since all your mappings are 1 to 1, it's as simple as it gets and as clear as possible.
index <-> role <-> ldap group

However, a role is associated with a set of indexes and only one app. So, I don't understand how it can be done...

So, you ask for -
index <-> role <-> ldap group and 1:N with the app

If we look at the interface, we see the association of the app to the role as 1:1 -

alt text

0 Karma

anantdeshpande
Path Finder

Association is 1:1 only.
There are 10 different LDAP groups. 10 different Splunk roles. And 10 different Indexes.

All are mapped one to one.

0 Karma

ddrillic
Ultra Champion

Right right - we can map multiple roles to the same app, as we do with the power user (to the same app as the regular user). Meaning roles to app is N:1. So, all should be just fine with your design ; -)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...