All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk DB Connect: Upgraded to the new version, so what is the difference between db_connect_user and dbx_user?

Harishma
Communicator
‎02-03-2017 01:21 AM

Hi All,
I'm trying to understand the security features in the new version of Splunk DB Connect. Please guide.

A dbx_user in the old version would allow everyone to search every Database in the old version.

Isn't db_connect_user also the same? Whats the difference w.r.t security between these two?

Also, the permission levels are displayed only on a search head and not in a deployer since we don't have apps in Deployer. Isn't it so?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-03-2017 06:28 AM

Both dbx_user and db_connect_user are Splunk roles so their basic functionality is same i.e. user with both roles will have access to all the objects/artifacts that role is configured to have access to. In DBConnect 1.x, access to each database connection was not managed, from security point of view, separately, hence having dbx_user will give you read access to all database. In DBConnect 2.x onwards, access to each database connection is managed by Identity objects and each dbconnect role/splunk roles are given access to specific identities. Hence in DBConnect to you can only access databases whose Identity object your role has access to. See this on how an identity object is created and how it's sharing permission is setup for available roles.
http://docs.splunk.com/Documentation/DBX/2.4.0/DeployDBX/Createandmanageidentities

Regarding permissions only displayed in Search Head not Deployer, the permissions/roles are created when the DB Connect app is installed on the Splunk instance, (in $Splunk_Home/etc/apps in general). In Deployer it's not installed, it's just placed in the repository location from where it'll get deployed to Search Heads.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-03-2017 06:28 AM

Both dbx_user and db_connect_user are Splunk roles so their basic functionality is same i.e. user with both roles will have access to all the objects/artifacts that role is configured to have access to. In DBConnect 1.x, access to each database connection was not managed, from security point of view, separately, hence having dbx_user will give you read access to all database. In DBConnect 2.x onwards, access to each database connection is managed by Identity objects and each dbconnect role/splunk roles are given access to specific identities. Hence in DBConnect to you can only access databases whose Identity object your role has access to. See this on how an identity object is created and how it's sharing permission is setup for available roles.
http://docs.splunk.com/Documentation/DBX/2.4.0/DeployDBX/Createandmanageidentities

Regarding permissions only displayed in Search Head not Deployer, the permissions/roles are created when the DB Connect app is installed on the Splunk instance, (in $Splunk_Home/etc/apps in general). In Deployer it's not installed, it's just placed in the repository location from where it'll get deployed to Search Heads.

0 Karma
Reply
Solved! Jump to solution

Harishma
Communicator
‎02-05-2017 10:08 PM

Hi @somesoni2,

Thankyou for the response, but still a small confusion.

In the older version someone who wanted to access a DB and run db queries were given dbx_user role which allows to query against all DBs.

1) So if a person is assigned to role "db_connect_user" , that would also allow him to query any DB still similar to dbx_user right?

2) So now rather than providing db_connect_user role to the user , we can provide permission for the splunk role to that particular Identity and also provide "db_connect_execute_query" search capability to that role such that he also belongs to that role , for him to run queries against that DB is it?

  • I tried the above second option by providing permission to Role A , to access Identity AB. At the same time provided search capability "db_connect_execute_query" to Role A. And now as a user with Role A when I run any dbquery I get an error: Unknown search command 'dbxquery'.

Is my understanding correct?

Is it possible to allow to share dashboards with search/report results generated from a SQL query to a set of users (non-dbx role users) while at the same time restricting their access to only those results ??

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...