Use access control to secure Splunk data
Role-based access control (RBAC) provides flexible and effective tools that you can use to protect data on the Splunk platform.
The Splunk platform masks data to the user much like the way a relational database manages RBAC. In some cases, total segmentation of data might be necessary. In other cases, controlling the searches and results at the presentation layer, which is something you can do with many Splunk apps, might meet your security needs.
Consider the following use cases when you decide how to set up your Splunk platform configuration and whether role-based access fits your needs or not. For example:
- When intentionally or unintentionally exposing sensitive data to the wrong user might incur legal ramifications, consider creating indexes specifically for privileged and non-privileged accounts and assigning the indexes to roles that you create for each level of access.
- When there are security concerns, but not so much legal risks, you can restrict access using apps. For example, you can create an app with static dashboards and assign roles with lower clearance to those dashboards. This limits the type of information that the user that holds the role may access.
- Field encryption, search exclusions, and field aliasing to redacted data are also great ways to tighten up a limited search case.
- For extremely sensitive data, where even allowing access to a Splunk platform instance that might have sensitive data incurs legal risk, consider procuring more than one Splunk platform instance, and then configuring each instance with the data for the appropriate audience.
How to secure and harden your Splunk platform instance | About user authentication |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!