Solved: Tuning security in enterprise

brettcave · ‎10-24-2012

I am trying to configure explicit information access based on roles in Splunk Enterprise.

I have configured a number of event types and field extractions. Is it possible to configure access to an event type, but not allow access to 1 field in a multi-field matcher? e.g. below to illustrate what I am trying to achieve:

event type "SomeInfo" search term: "SomeInfo: "
field extractor "InfoExtr" regex:   aField: (?P<FieldA>[^,]+), bField: (?P<FieldB>[^,]+), cField: (?P<FieldC>[^,]+)
log example: SomeInfo: aField: foo, bField: bar, cField: 99

I would like to allow a role to access FieldA and FieldB, but not FieldC. Is this possible?

I have the following in the Restrict search Terms: (eventtype="SomeInfo" OR eventtype="Other"). I have tried adding (NOT FieldC) (doesn't filter) or (NOT FieldC="*") (filters entire event).

rtadams89 · ‎01-23-2013

I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.

View solution in original post

rtadams89 · ‎01-23-2013

I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.

brettcave · ‎01-24-2013

thanks, that makes sense, nice approach.

brettcave · ‎01-23-2013

doesn't look like it.

brettcave · ‎10-25-2012

assuming this isn't possible?

Tuning security in enterprise

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio