This Index Access Mapping app displays LDAP controlled access mappings from Index to Role to LDAP Group to User, displaying the mapping as both a table and a Sankey diagram.
Access control of indexed data in Splunk is realized by mapping roles to users where each role contains a list of indexes in the srchIndexesAllowed and srchIndexesDefault fields. Creating a separate data access role for each index listing a single index name in the srchIndexesAllowed and srchIndexesDefault fields allows for fine-grained access control to the indexes. Mapping a data access role to LDAP groups allows tailoring of index access on an individual by individual or group by group basis. The required roll mappings in authorize.conf are best deployed as a distributed app for access consistency across all of your search heads.
Unfortunately, the base Splunk code does not provide a view of this mapping from end to end, and the authorize.conf configuration file quickly becomes undecipherable to visual inspection in larger environments.
Splunk does provide REST API calls to return data about Indexes, Roles, Users, and LDAP Groups. The index access mappings can be obtained through a series of table joins.
(roles left join indexes) left join [ (LDAP-groups left join users) append users(type=Splunk) ]
The search effectively gets the user list from two sources, joined on roles:
For the locally defined users, we force the groups field to be of the form Splunk(username) to indicate that there is no LDAP group granting the access, but rather that the access role was granted directly in the local Splunk user definitions.
/services/authorization/roles role, mv(srchIndexesAllowed)+mv(srchIndexesDefault) /services/data/indexes \ \index \ /services/admin/LDAP-groups mv(roles), groups, mv(users "CN=*,") #! LDAP users /services/authentication/users | \users realname | /services/authentication/users mv(roles), groups, users, realname #! Local Splunk users
Note: splunk+server=local changes to a pulldown list of Search Heads if this app is installed on a monitoring console.
The two major use cases for this app are to investigate who has access to a particular index, and to discover by which LDAP group a particular user gains access to a particular index. To this end, several different input fields have been provided for limiting the results based on a combination of indexes, roles, groups, and users.
Pulldown selection - Splunk Search Head (local, or a list if installed on a Monitoring Console)
Multiselect fields - indexes, roles, groups, users
Text search input - for adventurous custom searching, such as indexes=net, or realname=smith*.
Two checkboxes - to hide the admin role and any null values, as they tend to unnecessarily clutter up the results.
Sankey checkbox - turns off the Sankey panels, should the visualization not be available or desired.
Sankey height pulldown - sets the height of the Sankey diagram in pixels.
The Sankey diagram demands that all nodes to be charted be unique. Unfortunately, there is no such uniqueness requirement in Splunk between indexes, roles, LDAP groups, and users. Vanilla Splunk comes with both an admin user, and an admin role, which tends to turn portions of the multilevel Sankey diagram into looping spaghetti as the Sankey code cannot distinguish between admin as a role, and admin as a user. To prevent this spaghettification, we have prefixed the indexes, roles, groups, users, and realnames in the Sankey diagram with i. r. g. u. and rn., respectively, which forces them to be unique.
The Sankey visualization should be installed on the same Search Head(s) as this app.
This app should be installed on single-instance deployments, or on the Search Heads and Monitoring Console of a distributed deployment, either directly or by deployment server. The app itself contains only dashboards.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.