Configure Splunk DB Connect security and access controls
The role-based user access controls in Splunk Enterprise enable you to set up access permissions for identity and connection objects, as well as capabilities for inputs, outputs, and lookups in Splunk DB Connect. You can grant a user global access to all DB Connect features and available database connections, or limit a user's access to only specific database connections or capabilities.
Before using DB Connect, the logged-in user must have the ability to write to the
$SPLUNK_HOME/var directory (
%SPLUNK_HOME%\var on Windows hosts) and to
$SPLUNK_HOME/etc/apps/splunk_app_db_connect on Windows hosts) and its sub-directories. For more information, see Use access control to secure Splunk data.
When thinking about permissions in DB Connect, familiarize yourself with the Splunk Enterprise role-based user access system. You can create Splunk Enterprise users with passwords and assign them to roles. Roles determine the access and permissions of any user you assign to that role, including whether a user can access DB Connect. Roles determine users' capabilities for many Splunk Enterprise tasks, including DB Connect tasks.
When you install DB Connect, it adds two new roles to Splunk Enterprise: db_connect_admin and db_connect_user. In addition, Splunk Enterprise gives DB Connect capabilities to its admin role.
- The db_connect_user role has 11 capabilities and inherits from the user role. Its capabilities involve reading DB Connect objects.
- The db_connect_admin role has 31 capabilities and inherits from the db_connect_user role. Its capabilities involve reading and writing DB Connect objects, plus actions involving the task server.
- The existing Splunk Enterprise admin role automatically gets all DB Connect-specific capabilities when you install DB Connect.
To set or view the capabilities of a specific role from within Splunk Enterprise, go to Settings > Access controls > Roles. From here you can also create new roles with specific capabilities.
You set permissions when you define the DB Connect identities and connections. An identity object contains encrypted database credentials. A connection object contains the necessary information for connecting to a remote database.
Use the Permissions table on the New Identity and New Connection setup pages to specify the Splunk Enterprise roles that have access to the identity or connection.
- Read access to an object means that Splunk Enterprise roles will be able to use the object.
- Write access to an object means that Splunk Enterprise roles will be able to use and modify the object.
By default, the Splunk Enterprise "admin" and "db_connect_admin" roles have read-write access to objects such as identities or connections, the "db_connect_user" role has read access. All other roles have no access.
The permissions you set when you create a new identity or a new connection are related to Splunk Enterprise roles, and are not related to database permissions. Because identities store encrypted database credentials, the level of database access that an identity has is directly related to the user account that you store in the identity. When you use an identity to connect to your database, your access to that database is limited to the database access level of the user you have stored in that identity.
For example, if you added the credentials of user1 to identity1, and user1 only has access to table abc on the database and not to table xyz, a connection that uses identity1 only has access to table abc, and not xyz, on the database. That means that any database input, output, or lookup using that connection also only has access to just table abc on that database.
Therefore, you must consider which database credentials to store within a DB Connect identity. You may wish to create DB Connect-specific users on the database who have access to only the database tables you want to access with Splunk Enterprise, and then assign those users to your identities.
Every role in Splunk Enterprise has capabilities. In DB Connect, permissions define access for identities and connections, but capabilities define access for DB Connect-specific modular inputs, which include inputs, outputs, and lookups.
By defining the capabilities a role has, you define what that role can do with the inputs, outputs, and lookups you have created. For instance, the db_connect_user role can use inputs, outputs, and lookups, but the db_connect_admin role includes the additional capabilities that enable it to edit inputs, outputs, and lookups (specifically, "edit_modinput_mi_input," "edit_modinput_mi_output," and "edit_modinput_mi_lookup").
Splunk DB Connect supports the readonly JDBC attribute which can restrict connections to read-only mode. This setting alone does not guarantee that users connecting via DB Connect will not be able to write to the database.
When you create a new connection, select the readonly checkbox to restrict users to using
SELECT statements with the database. The readonly checkbox cannot always guarantee read-only access; the database driver ultimately allows or prevents changes.
If you use the read-only option, ensure that, on the database itself, you limit the user to read-only access. To determine if you database supports read-only access, read Supported databases or check your database vendor's documentation.
Configure Splunk DB Connect settings
Create and manage identities
This documentation applies to the following versions of Splunk® DB Connect: 3.8.0, 3.9.0, 3.10.0