Splunk Cloud Platform

Securing Splunk Cloud Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Exempt certain roles from field filters using Splunk Web

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes with field filters.

How to exempt certain roles from field filters using Splunk Web

By default, field filters apply to all roles, unless you specify certain roles that are exempt from the field filter because they are authorized to access the confidential data. Users who are assigned to a role that is exempt from a field filter can see restricted data when they run searches that other non-exempt roles can't see.

Role exemptions for field filters are inherited, which means that roles inherit the exemptions of their parent. For example, say the User role is exempt from a field filter, and another role called UserInherited inherits the User role. Because of role inheritance, all users who are assigned to the User role and UserInherited role are exempt from the field filter.

Prerequisites

To create, view, edit, and delete field filters, you must be a member of the predefined admin role, which includes the edit_field_filter capability by default. Alternatively, you must be a member of a custom role that is assigned the following capabilities:

  • view_field_filter
  • edit_field_filter
  • change_authentication

Custom roles can create, edit, and view field filters, but they can't delete field filters. Only users with the admin role are allowed to delete field filters. To add capabilities to a role, see Define roles on the Splunk platform with capabilities.

Steps

To use Splunk Web to exempt a role from an existing field filter, follow these steps:

  1. Select Settings and then Field filters from Users And Authentication.
  2. From the Actions menu, select Edit for the field filter you want to update.
  3. Select Next.
  4. In the Exempt role from filter (optional) page, add any roles to the list of Roles without filter that you do not want the field filter to affect. If you do not select any roles to exempt from this field filter, the field filter will apply to all roles when users run searches to which this field filter applies.
  5. Select Next.
  6. Verify that your field filter is configured properly and then select Save. Confirm that the trusted roles you have exempted from the field filter still have access to the sensitive search data that you are protecting from users holding other roles.

Examples

1. Exempt senior support staff from the PhoneNumber field filter

You work in the healthcare field and have a field that keeps track of patient's phone numbers. Because the field contains sensitive information that you don't want visible to the majority of your staff, you created a field filter for the PhoneNumber field that replaces the value of the field with a SHA-512 hash. But, your senior support staff who need to contact patients to troubleshoot issues need access to that field data, so you need to exempt their role from the field filter.

In Splunk Web, you edit the field filter for the PhoneNumber field by adding the Senior_Support role to the list of Roles without filter that you do not want the field filter to affect.

Now when a member of the Senior_Support role runs a search that accesses the PhoneNumber field, the data for that field will be visible. However, unauthorized users who hold roles other than the Senior_Support role just see a SHA-512 hash when their searches include events with the PhoneNumber field.

See also

Protect PII, PHI, and other sensitive data with field filters
Last modified on 23 April, 2024
PREVIOUS
Optimize field filter performance using Splunk Web 		  NEXT
Turn off Splunk platform field filters

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2312

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters