How can I limit Splunk users searches to events for objects in their respective OUs? UserA under OU-A should be able to search for events from all workstations/servers under that branch in AD but not under a same level OU, such as OU-B.
So, users under th OU "Houston" should be able to search for all events for machines in their directory structure, but not other OUs.
Confusing? Would be awesome...
You could give each OU a role and restrict that role to being able to search on its own OU using a search filter of "OU=x"
I'm trying to find a way to show all events from UFs that live in a certain branch. If the agent sent this information up to the indexers AND was searchable then I can see adding this to a role. Feature request?
We do something similar now, but it's restricted to matching search terms and rarely does an event contain the AD OU path. Example: srcip=1.1.1.0/24 for the roles search terms returns all events containing that field and value but NOT all events from machines in that subnet, so the user is seeing limited information.
"...search on its own OU using a search filter of "OU=x"": I believe this would only return events with a field of OU defined AND values in that field, pretty rare occurrence. I don't see where this aligns to an objects place in AD.
The only way I could see this happening is by splitting the machine events into different "OU Indexes". You would, using your example, create an index of "ou_houston
". Then Assign roles in Splunk to only allow users with "OU_Houston
" role to search index "ou_houston
". So it would be something like:
index=ou_houston host=some_host | blah
http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf
http://splunk-base.splunk.com/answers/10582/permissions-on-indexes-and-sourcetypes
While an option, it would add considerable overhead for us (20+ existing indexes containing 50+ sourcetypes, multiple groups, multiple companies).