Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Use access control to secure Splunk data

Role-based access control provides flexible and effective tools that you can use to protect data on the Splunk platform.

The Splunk platform masks data to the user much like the way a relational database manages role-based access control. In some cases total segmentation of data might be necessary. In other cases, controlling the searches and results at the presentation layer (something you can do with many Splunk apps) might meet your security needs.

Consider the following use cases when you decide how to set up your Splunk platform configuration and whether role-based access might fit your needs or not. For example:

  • When intentionally or unintentionally exposing sensitive data to the wrong user might incur legal ramifications, consider creating indexes specifically for privileged and non-privileged accounts and assigning the indexes to roles that you create for each level of access.
  • When there are security concerns, but not so much legal risks, you can restrict access using apps. For example, you can create an app with static dashboards and assign roles with lower clearance to those dashboards. This limits the type of information that the user assigned to the role may access.
  • Field encryption, search exclusions, and field aliasing to redacted data are also great ways to tighten up a limited search case.
  • For extremely sensitive data, where even allowing access to a Splunk platform instance that might have sensitive data incurs legal risk, consider procuring more than one Splunk platform instance, and then configuring each instance with the data for the appropriate audience.
Last modified on 09 April, 2021
PREVIOUS
Some best practices for your servers and operating system 		  NEXT
About user authentication

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters