Users, roles, and authentication
Once you have familiarized yourself with your Splunk configuration and data, review your users, their permissions, and their authorization methods.
Splunk Enterprise supports several user authentication systems:
- Splunk internal authentication with role-based user access
- LDAP
- A scripted authentication API for use with an external authentication system, such as PAM or RADIUS
- Multifactor authentication
- Single sign-on
Internal authentication and role-based user access
Role-based access control lets you manage users and restrict or share Splunk Enterprise data. Splunk Enterprise masks data to users in a manner similar to how a relational database manages role-based access control.
Discover or modify existing configurations
Familiarize yourself with your existing users and their assigned roles. Roles determine the user's data access level and the actions they can perform.
In Splunk Web click Settings > Access Controls to see all of your Splunk users. On the Access Controls page you can click on roles and users to examine or edit permissions. You can use this page to create a list of the data available to each user or group of users. See Use access control to secure Splunk data in Securing Splunk Enterprise.
To find a specific user you can use the CLI to search for a user and role. See Find existing users and roles in Securing Splunk Enterprise.
LDAP authentication
When administrators configure Splunk to work with LDAP, they create something called "LDAP strategies". LDAP strategies are collections of configuration data that Splunk uses to work with your LDAP configuration. Splunk can be directed to query these "strategies" in a particular order when searching for LDAP users. See Set up user authentication with LDAP in Securing Splunk Enterprise.
Discover or modify existing LDAP configurations
Familiarize yourself with the existing LDAP groups and permissions mappings by looking at all of your strategies. To view or edit existing LDAP strategies, follow these steps:
1. Under Users and authentication click Access controls.
2. Click LDAP.
3. From this page, you can select strategies and view their information and track those LDAP mappings to Splunk roles.
See Configure LDAP with Splunk Web in Securing Splunk Enterprise.
Multifactor authentication
Splunk Enterprise currently supports multifactor authentication with Duo Security. See About two-factor authentication with Duo Security in Securing Splunk Enterprise.
Find or modify existing configurations
Find out if your system uses Duo Factor Authentication via Splunk Web.
1. Under Settings click Users and Authentication
2. For Authentication Method select Duo Security.
3. On this page you can see if your system has mutifactor authentication configured. See Configure Splunk Enterprise to use Duo Security two-factor authentication in Securing Splunk Enterprise.
SSO with SAML
Splunk software can leverage SAML authentication for single sign-on (SSO), using information provided by an external identity provider (IdP). See Authentication using single sign-on with SAML in Securing Splunk Enterprise.
Find or modify existing configurations
Find out if your users are configured for SAML SSO.
1. In Settings select Access Controls.
2. Under Authentication method select SAML.
3. A new SAML configuration appears, you can close this page to view the existing configuration.
In this page you can see if your system has SSO authentication configured for groups of users. From there you can drill down to your IdP information, the mapped groups, and the users assigned to that group.
ProxySSO authentication
ProxySSO lets you configure Single-Sign On (SSO) for Splunk instances through a reverse proxy server. A user logged in using ProxySSO can seamlessly access Splunk Web.
Find existing configurations
You can view any existing HTTP request headers that the proxy server sends to Splunk Web:
Set enableWebDebug=true
in web.conf
under settings
stanza:
http://<ProxyServerIP>:<ProxyServerPort>/debug/sso
ProxySSO login events are logged in var/log/splunkd.log
.
Review your apps and add-ons | Review your system security |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Feedback submitted, thanks!