Splunk Search

Restrict Search Terms Conditionally Depending On The Index Being Searched

jpass
Contributor

I have multiple indexes to help control user access to data. Now I've run into a situation where data within an index needs to be further divided into access levels.

Here's the structure:

index=i1 foo=bar foo1=bar1
index=i2 type=t1
index=i2 type=t2
index=i2 type=t3
index=i3

Goal: Allow user1 full access to i1 & i3 but only type 't1' in the i2 index

my current roles configuration
role_i1 - provides full access to index 1
role_i2 - provides full access to index 2
role_i3 - provides full access to index 3

My first inclination was to create a new role:
role_i2_t1 = provides access to index i2 but uses the 'restrict search terms' field to say 'type=t1'

So user1 roles configuration would be as follows:
user1 (role_i1,role_i2_t1,role_i3)

This works fine for restricting access within the i2 index. But the side affect is that, because the other index do not contain a field called 'type', users can not return any search results.

So my questions:
1. maybe I'm misunderstanding or doing something wrong and my approach is the correct one
2. Or I'm correct in my findings and another route needs to be take
3. The only other option I see thus far is to create an index for each 'type' and use continue to use roles to manage access to specific data

1 Solution

Takajian
Builder

I think your 'restrict search times = "type=t1"' is not correct. Could you try following?

index=i1 OR index=i3 OR ( index=i2 AND type=t1 )

As you recognized, the other index does not have type field. You will need to specify each index and field explicitly.

View solution in original post

jpass
Contributor

I selected Takajian's answer but provided a modified version and some more details for discussion.

Yup. That's it. Man I must have been up too long or something because simple search logic took care of this issue.

I did modify my approach a bit though to make the string shorter:

index!=i2 OR (index=i2 AND type=t1)

This way if you have a bunch of indexes you don't have to list each one.

Do you see a problem using this method if each index has sub groups under different field names?

For example:

index=i1 color=c1 OR color=c2 OR color=c3
index=i2 type=t1 OR type=t2 OR type=t3

index=i3 size=s1 OR size=s2 OR size=s3

My roles would have to overlap.

role_i1_c1 = index!=i1 OR (index=i1 AND color=c1)
role_i1_c2 = index!=i1 OR (index=i1 AND color=c2)
role_i1_c3 = index!=i1 OR (index=i1 AND color=c3)

role_i2_t1 = index!=i2 OR (index=i2 AND type=t1)
role_i2_t2 = index!=i2 OR (index=i2 AND type=t2)
role_i2_t3 = index!=i2 OR (index=i2 AND type=t3)

role_i3_s1 = index!=i3 OR (index=i3 AND type=s1)
role_i3_s2 = index!=i3 OR (index=i3 AND type=s2)

role_i3_s3 = index!=i3 OR (index=i3 AND type=s3)

Example user1: can access index i1 color c1 and c3 & index i3 size s2

user1 roles assignment: role_i1_c1, role_i1_c3, role_i3_s1

Or would it be easier to just create a bunch of indexes for each sub-group?

FYI:
i1 currently has 20 colors
i2 has about 30 types
i3 has 4 sizes

Thanks for your time.

jpass
Contributor

I have confirmed this in fact does work. I only tested it briefly but it seemed to work perfectly. If a user is assigned multiple roles like I described above, it effectively turns a user's access on / off for those data types. I'm not sure how much it would affect performances but at first glance it seemed fine. I'll report back more after I've done some more testing.

0 Karma

Takajian
Builder

I think your 'restrict search times = "type=t1"' is not correct. Could you try following?

index=i1 OR index=i3 OR ( index=i2 AND type=t1 )

As you recognized, the other index does not have type field. You will need to specify each index and field explicitly.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...