Splunk Search

How to restrict User access to search from dashboard?

googs524
Explorer

I have a dashboard which uses internal index and I made it available for role "user". I couldn't get the dashboard running for the "user" role without providing access to that internal index. Hence I provided access to that internal index for the "user" role and dashboard is working fine now.

Now, I want to restrict user not to run search command for that internal index and I provided that index name in "Restrict search terms" field of that role, but still the "user" role can access that internal index via search. Is there any way, I can restrict user from searching that internal index, but want my dashboard to run for that user role?

TIA!

0 Karma

micahkemp
Champion

If I understand your question correctly, you can do what you're looking for.

My assumption is you want to disable searching of _internal on the search page by users of a specific role, but you have a dashboard crafted (that searches _internal) that you would like the users in that same role to be able to view.

The solution to lies in the fact that you can configure a savedsearch to be run by the owner of the savedsearch, as opposed to the user running it. In savedsearches.conf:

dispatchAs = [user|owner]
* When the saved search is dispatched via the "saved/searches/{name}/dispatch"
  endpoint, this setting controls, what user that search is dispatched as.
* This setting is only meaningful for shared saved searches.
* When dispatched as user it will be executed as if the requesting user owned
  the search.
* When dispatched as owner it will be executed as if the owner of the search
  dispatched it no matter what user requested it.
* If the 'force_saved_search_dispatch_as_user' attribute, in the limits.conf
  file, is set to true then the dispatchAs attribute is reset to 'user' while
  the saved search is dispatching.
* Defaults to owner.

Then in your dashboard, you view the results of that savedsearch in the SimpleXML thusly:

<search ref="<savedsearch name"></search>

For additional reference, consult this previous answers post that discusses the difference between running a savedsearch as a search and running it with the ref method shown above.

Elsurion
Communicator

Since you can add a search restriction on a role base (i don't use it) it is whiser to add for every needed department (or groups of departments) it's own index. You'll generate a few more indexes, but on the indexer it won't eat much power.

Since a summary index is like a normal index, but w/o an own secstofrozen value.
And it don't count to your license.

A tutorial is here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Configuresummaryindexes

But in short, you have a search which will select your needed data and will write it to a summary 😉
E.g. a collection of license data for longtime evaluation.

index=_internal source=*license* type="Usage"
| fields st, idx, h, b, i, _time
| bucket _time span=1m
| stats sum(b) as bytes by h st idx i _time

| lookup sysmgmt_hosts guid as i OUTPUT name as srv

| eval output=split(h,".")
| eval anz=mvcount(output)
| eval h=if(anz > 1,mvindex(output,0),h)
| eval output=split(srv,".")
| eval anz=mvcount(output)
| eval srv=if(anz > 1,mvindex(output,0),srv)

| eval indexer=if(isnull(srv),i,srv)
| eval type="license"

| fields - output, anz, srv, i
| collect index=sysmgmt_summary
0 Karma

surekhasplunk
Communicator

Hi @adonio,

My query is i have got several departments data in a csv and i want to restrict data department wise using summary index. How do i do this. Can you please explain in details as am new to summary indexing.

Thanks

0 Karma

adonio
Ultra Champion

short answer, no
data security in splunk is set by index access.
with that being said, there are some ways to go around it. for example, if you want the user to see the dashboard, i can only assume that dashboard has panels that has some sort of reports presented.
so, you can send results to a summary index and now allow the "user role" access to summary index.
have the dashboard present the data from the summary index
hope it helps

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...