Splunk Enterprise Security

How do I restrict permission on a particular source inside of an index instead of from the whole index?

akchauhan
Explorer

Hi

I have an index named "xyz" and inside that, I have data from different sources (a,b,c etc). I want to restrict permission on index=xyz source=a instead of the whole index. Is this possible to do? If yes, how can i do it?

please help.

0 Karma
1 Solution

maciep
Champion

Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Aboutusersandroles

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Addandeditroles#Search_filter_format

View solution in original post

woodcock
Esteemed Legend

There is nothing that cannot be trivially bypassed. You can send the data twice (double license hit) once to the everybody index and once (filtered to remove source=a) to the somebodies index. Or you can use ... | NOT source=a | collect in a scheduled search to a summary index (free).

0 Karma

maciep
Champion

Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Aboutusersandroles

https://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Addandeditroles#Search_filter_format

akchauhan
Explorer

I was able to do this by using search filter but I would suggest to get data in separate index and restrict permission on that instead of source level. Restricting permission at source level is very difficult to maintain in long run and is little complicated.

0 Karma

starcher
SplunkTrust
SplunkTrust

Not effectively no. Index is the fundamental ACL boundary.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...