We have a Domain of about 40K users, and we would like to open Splunk up to the Search Head Cluster to all users within the domain.
What I've done so far, is add each OU where users resides MyDomain>EastCoast>HQ>EndUsers
There tons of OU's with other users in different places, example MyDomain>WestCoast>LA>EndUsers
Instead of adding thousands of EndUsers Distinguished names, is there a way I can just grab all users within the domain. This will save me lots of time!!!
You would have to put all users in one group and then map that group to the role. You don't have to provide every dn for every user. Let's assume you only have 10 groups, you could map them all to the same role.
Setting up the ldap strategy would be like any other generic ldap strategy, but your role map would look something like this:
[rolemap_LDAPSTRATEGYNAME]
user = aLDAPgroupName; bLDAPgroupname, securityTeamGroupName; etc
@Jarohnimo - Looks like you have a couple of good suggestions/solutions to your question. If one of them provided a solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!
This is a very bad idea my friend. @DalJeanis speaks the truth.
You would have to put all users in one group and then map that group to the role. You don't have to provide every dn for every user. Let's assume you only have 10 groups, you could map them all to the same role.
Setting up the ldap strategy would be like any other generic ldap strategy, but your role map would look something like this:
[rolemap_LDAPSTRATEGYNAME]
user = aLDAPgroupName; bLDAPgroupname, securityTeamGroupName; etc
And I second what DalJeanis said... You probably do not want 40k users having access to you splunk. Architecturally speaking you'd need a huge SHC to support that many users even if only 10% of them were concurrent users.
Two caveats and a wild guess first -
CAVEAT ONE: There is a precept in data governance and data security that users should only have access to the data required to do their jobs, and no more. This isn't just a philosophy for bean counters and anal retentives. There are Federal laws US and extra-national laws and various potential penalties involved.
So, presumably the splunk search head and indexes that you are opening up are relevant to every employee in that domain, otherwise, any large company would have a data security policy that would strictly prohibit doing what you are asking.
CAVEAT TWO: Predicting usage of a tool like splunk is an art and a craft. Letting 40K untrained new users suddenly access your search head is a bit like playing golf in the middle of the Indy 500.
WILD GUESS: I suspect that the idea of adding all 40K Domain employees onto splunk may have been an organizational reaction to the annoying work of having to grant access one-at-a-time to individuals. Creative programmers often hate admin-type work, so, why not add EVERYBODY ALL AT ONCE and never have to do any admin ever again? Am I close, here?
NOW THE ANSWER:
That all being said, if you have 40K employees in that domain, your team should interface with the data security team that owns the LDAP and arrange for a periodic extract of the data. That conversation (and the CYA documents you walk out of it with) may in fact keep you employed the next time a security audit comes round.
Thank you for your insight, but perhaps a compromise can be made. It appears that you and I may work in similar fields (not saying anymore) however this isn't a negotiable tasks. Many of the points you've made I've made and the direction is Sally forth...
Dealing with SharePoint People, they import all 40k user no problem, why can't Splunk do it?... So here I am..
. Question I have is, just because all users and groups are impprted doesn't mean all users have access right?. It's still controlled through mapping each group to a role in splunk and we'd like to do that based on request. Mapping each LDAP isn't practical to the org I work for
But You've made some great points. I will regurgate them in a meeting today.
Import and access are two very different things I'm SharePoint. I think your confused on what I'm talking about.
User profile sync can import all the profiles but doesn't automatically give access to any site in SharePoint.
Thank you
Heh. I can tell you that at US financial organizations, Sharepoint is very restricted. The idea that all users might have access to everything on Sharepoint is just wrong. Ditto splunk.
The 40K users need to be in AD groups, and the AD groups need to be given appropriate roles in splunk. The individual user ids shouldn't be involved.