Security

Restrict access to part of the data of an index but allow access to other indexes

MikeBertelsen
Communicator

I have a role assigned to an AD group that limits their access to specific events in a windows event log index.
The restriction on the role reads "EventCode=4740 OR EventCode=4625 OR " etc...

This same group wants access to another index. However the restriction on the role above prevents them from reading events from the other index because none of those events exist in the other index.

How to resolve this issue?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi MikeBertelsen,
access right are managed at Index level so it isn't possible to limit access to only a part on an index.

Probably the best solution is to send special events (EventCode=4740 OR EventCode=4625 OR ...) in a different index (e.g. special_win) and grant access to both the roles to this index, limiting access to the main_windows index to one role.
To do this see http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

On your indexer or heavy forwarder:

 # etc/system/local/transforms.conf 
 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = EventCode\=4740|EventCode\=4625
 FORMAT = my_new_index

 #etc/system/local/props.conf 
 [mysourcetype]
 TRANSFORMS-index = overrideindex

It could be possible (but it's very hard!) to manage different accesses in dashboards, but it's slow and using search dashboard filters don't run!

Bye.
Giuseppe

0 Karma

MikeBertelsen
Communicator

It is not impossible to restrict access to just part of an index. Because the restriction on the role does exactly that. That solution works great if a group is to only have access to part of an index. It does however defeat adding access to an additional index because the restriction overrides the access to the added index.

I agree that the props/transforms approach is likely the best solution.

Hoping that there is another option.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...