Security

Limit users searches to OUs in AD

twhisnant
New Member

How can I limit Splunk users searches to events for objects in their respective OUs? UserA under OU-A should be able to search for events from all workstations/servers under that branch in AD but not under a same level OU, such as OU-B.

So, users under th OU "Houston" should be able to search for all events for machines in their directory structure, but not other OUs.

Confusing? Would be awesome...

Tags (1)
0 Karma

the_wolverine
Champion

You could give each OU a role and restrict that role to being able to search on its own OU using a search filter of "OU=x"

alt text

0 Karma

twhisnant
New Member

I'm trying to find a way to show all events from UFs that live in a certain branch. If the agent sent this information up to the indexers AND was searchable then I can see adding this to a role. Feature request?

0 Karma

twhisnant
New Member

We do something similar now, but it's restricted to matching search terms and rarely does an event contain the AD OU path. Example: srcip=1.1.1.0/24 for the roles search terms returns all events containing that field and value but NOT all events from machines in that subnet, so the user is seeing limited information.

"...search on its own OU using a search filter of "OU=x"": I believe this would only return events with a field of OU defined AND values in that field, pretty rare occurrence. I don't see where this aligns to an objects place in AD.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

The only way I could see this happening is by splitting the machine events into different "OU Indexes". You would, using your example, create an index of "ou_houston". Then Assign roles in Splunk to only allow users with "OU_Houston" role to search index "ou_houston". So it would be something like:

index=ou_houston host=some_host | blah

http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf

http://splunk-base.splunk.com/answers/10582/permissions-on-indexes-and-sourcetypes

0 Karma

twhisnant
New Member

While an option, it would add considerable overhead for us (20+ existing indexes containing 50+ sourcetypes, multiple groups, multiple companies).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...