Splunk Search

Restrict access so users can only view specific lookups

katzr
Path Finder

Hello,

I have a new set of users who I want to only be able to access 2 specific lookups. However, those lookups need to be viewed by my other general users still. As of now- I don't have separate apps set up for anything -everything lives in Search & Reporting.

What is the best way to approach this situation so that my users will only be able to view the 2 lookups in a dashboard but not access any other data?

EDIT:
I have thought about it and I think the below method may work- is this a way to approach the problem?

Create a new role and give it all of the same capabilities as the user-role but do not give the role access to any indexes. All of my lookups are global permissions so they will be able to see the necessary lookups.

Downfalls- they will be able to see all lookups (but not a huge concern if they dont know the name of the lookup and are not searching for other data), they will see other dashboards (but the data in the dashboards will be blank correct?)

0 Karma

damien_chillet
Builder

Hi katzr,

When you say

All of my lookup are global permissions

Are you talking about the object context (shared in all Apps) or saying read permissions are set to everyone?

Because if you do create a new role, I think you could assign Read permissions to it for specific lookups only.

0 Karma

katzr
Path Finder

The read permissions are set to everyone. How can I set the read permissions to specific lookup only for a role?

0 Karma

damien_chillet
Builder

Settings > Lookups > Lookup Table Files
then click Permissions hyperlink for the specific lookup, uncheck Everyone for the Read Column and check for the role(s) you want to assign read permissions.

0 Karma

woodcock
Esteemed Legend

The only good RBA in Splunk is access to particular index values; everything else is paper thin and easily bypassed. Therefore, the only thing that might work is a scripted lookup that creates a temporary lookup from a splunk search against a static index where the lookup data has been indexed and saves it to a random lookup name, uses the lookup and then deletes the lookup. This is really tempting me to try and create this but I am too busy. It should work though.

0 Karma

katzr
Path Finder

@woodcock thank you for the help- let's say that it is okay if they can view all of the lookups- they wouldn't be able to view any of the indexes though if I don't assign the role the permissions correct?

0 Karma

woodcock
Esteemed Legend

Yes, restrictions to index data is pretty solid.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...