Exempt certain roles from field filters using Splunk Web
Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.
READ THIS FIRST: Should you deploy field filters in your organization?
Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview
, mstats
, tstats
, typeahead
, and walklex
), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.
Exempting certain roles from field filters using Splunk Web
By default, field filters apply to all roles, unless you specify certain roles that are exempt from the field filter because they are authorized to access the confidential data. If a role is exempt from a field filter, the field filter is not run at search time for any users holding that role. As a result, users who are assigned to a role that is exempt from a field filter can see restricted data when they run searches that other non-exempt roles can't see.
Role exemptions for field filters are inherited, which means that roles inherit the exemptions of their parent. For example, say the User role is exempt from a field filter, and another role called UserInherited inherits the User role. Because of role inheritance, all users who are assigned to the User role and UserInherited role are exempt from the field filter. Inherited field filter exemptions can't be removed.
You can use role exemptions on field filters to circumvent restrictions on certain commands, such as mstats
and tstats
. If you want certain highly trusted users to be able to use these restricted commands when field filters are in use, exempt their role from a field filter, so they can use restricted commands across searches on specified indexes. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.
Prerequisites
By default, to create, edit, or delete field filters, you must be a member of the admin or sc_admin role. To view field filters, you must be a member of the admin, sc_admin, or power user role. See Define roles on the Splunk platform with capabilities in Securing Splunk Platform.
Steps
To use Splunk Web to exempt a role from an existing field filter, follow these steps:
- Select Settings and then Field filters from Users And Authentication.
- From the Actions menu, select Edit for the field filter you want to update.
- Select Next.
- In the Exempt role from filter (optional) page, add any roles to the list of Roles without filter that you do not want the field filter to affect. If you do not select any roles to exempt from this field filter, the field filter will apply to all roles when users run searches to which this field filter applies.
- Select Next.
- Verify that your field filter is configured properly and then select Save. Confirm that the trusted roles you have exempted from the field filter still have access to the sensitive search data that you are protecting from users holding other roles.
Examples
1. Exempt senior support staff from the PhoneNumber field filter
You work in the healthcare field and have a field that keeps track of patient's phone numbers. Because the field contains sensitive information that you don't want visible to the majority of your staff, you created a field filter for the PhoneNumber
field that replaces the value of the field with a SHA-512 hash. But, your senior support staff who need to contact patients to troubleshoot issues need access to that field data, so you need to exempt their role from the field filter.
In Splunk Web, you edit the field filter for the PhoneNumber
field by adding the Senior_Support
role to the list of Roles without filter that you do not want the field filter to affect.
Now when a member of the Senior_Support
role runs a search that accesses the PhoneNumber
field, the data for that field will be visible. However, unauthorized users who hold roles other than the Senior_Support
role just see a SHA-512 hash when their searches include events with the PhoneNumber
field.
See also
Optimize field filter performance using Splunk Web | Create field filters using configuration files |
This documentation applies to the following versions of Splunk® Enterprise: 9.3.2
Feedback submitted, thanks!