Splunk® Enterprise

Securing Splunk Enterprise

Exempt certain roles from field filters using Splunk Web

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

READ THIS FIRST: Should you deploy field filters in your organization?

Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

Exempting certain roles from field filters using Splunk Web

By default, field filters apply to all roles, unless you specify certain roles that are exempt from the field filter because they are authorized to access the confidential data. If a role is exempt from a field filter, the field filter is not run at search time for any users holding that role. As a result, users who are assigned to a role that is exempt from a field filter can see restricted data when they run searches that other non-exempt roles can't see.

Role exemptions for field filters are inherited, which means that roles inherit the exemptions of their parent. For example, say the User role is exempt from a field filter, and another role called UserInherited inherits the User role. Because of role inheritance, all users who are assigned to the User role and UserInherited role are exempt from the field filter. Inherited field filter exemptions can't be removed.

You can use role exemptions on field filters to circumvent restrictions on certain commands, such as mstats and tstats. If you want certain highly trusted users to be able to use these restricted commands when field filters are in use, exempt their role from a field filter, so they can use restricted commands across searches on specified indexes. See READ THIS: Restricted commands do not work in searches on indexes that have field filters.

Prerequisites

By default, to create, edit, or delete field filters, you must be a member of the admin or sc_admin role. To view field filters, you must be a member of the admin, sc_admin, or power user role. See Define roles on the Splunk platform with capabilities in Securing Splunk Platform.

Steps

To use Splunk Web to exempt a role from an existing field filter, follow these steps:

  1. Select Settings and then Field filters from Users And Authentication.
  2. From the Actions menu, select Edit for the field filter you want to update.
  3. Select Next.
  4. In the Exempt role from filter (optional) page, add any roles to the list of Roles without filter that you do not want the field filter to affect. If you do not select any roles to exempt from this field filter, the field filter will apply to all roles when users run searches to which this field filter applies.
  5. Select Next.
  6. Verify that your field filter is configured properly and then select Save. Confirm that the trusted roles you have exempted from the field filter still have access to the sensitive search data that you are protecting from users holding other roles.

Examples

1. Exempt senior support staff from the PhoneNumber field filter

You work in the healthcare field and have a field that keeps track of patient's phone numbers. Because the field contains sensitive information that you don't want visible to the majority of your staff, you created a field filter for the PhoneNumber field that replaces the value of the field with a SHA-512 hash. But, your senior support staff who need to contact patients to troubleshoot issues need access to that field data, so you need to exempt their role from the field filter.

In Splunk Web, you edit the field filter for the PhoneNumber field by adding the Senior_Support role to the list of Roles without filter that you do not want the field filter to affect.

Now when a member of the Senior_Support role runs a search that accesses the PhoneNumber field, the data for that field will be visible. However, unauthorized users who hold roles other than the Senior_Support role just see a SHA-512 hash when their searches include events with the PhoneNumber field.

See also

Protect PII, PHI, and other sensitive data with field filters
Last modified on 26 July, 2024
Optimize field filter performance using Splunk Web   Create field filters using configuration files

This documentation applies to the following versions of Splunk® Enterprise: 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters