How to give a set of users access to Splunk without giving them access to the data was a problem that came up recently at one of our customers. I’m not going to divulge the actual use case but here’s something similar:
- Your company has a popular API that is used by various upstream consumers
- Open Banking APIs and Third Party Providers (fintech’s) is a possible use case
- You have loads of great API metrics and events in Splunk containing lots of information about all the third party calls, the customers they are making the calls on behalf of, the outcome of the calls, etc
- You want to provide the API consumers with a dashboard showing them the outcome of their calls
- All of your API data is in the same index and creating an index per API consumer isn’t feasible
There are many other use cases that could fall into this use case, simplified as “Dashboards not Data”.
Data used in this example
For this tip I’m using a feed of Octopus Agile pricing data. Octopus is an innovative energy supplier in the UK who have an electricity tariff that tracks the variable price of electricity through the day. If the wind is blowing and the turbines are spinning then prices tend to be low but they are always high through the peak usage hours (4pm to 7pm). The intended outcome is that people learn to switch their usage to cheaper / lower demand times, thereby helping to balance energy usage and aid transition from fossil fuel based electricity production to renewables.
The other great thing about Octopus is that they are data-driven and they have documented APIs.
The scenario for this tip is that we have a new user: “dom” who we don’t trust with full access to the underlying data (in the index) but we do want to consume our dashboard.
Here’s the steps..
Create a new role
- Clone the user role into a new role called “user_no_index_access”
- for real-world usage you may want to remove some capabilities as well
- Remove access to any index from the role setup page (shown below)
- Create a new user “dom”, remove the “user” role and add the “user_no_index_access” role
Login as the new “dom” user and check that they cannot search any index: 0 events returned.
Build the dashboard
Without access to the indexes, “dom” can’t search the data. In Splunk however we can have reports that run as a different user, so we’ll build a dashboard using reports that run as someone else (who does have access to the data).
The following search creates a timechart of our Octopus Agile pricing data. Note that we have data in the future so we need to use a time modifier that spans into the future (latest=+1d):
index=main sourcetype="octopus:tariffs:agile" latest=+1d earliest=-1d |timechart span=30m max(value_inc_vat)
We can save this as a report (Save As > Report) and choose the chart as the Content option:
We need to set the permissions on the report:
- Shared in (Display For) : App
- Run As: Owner (this is the default)
- Provide read access to the “user_no_index_access” role
Then we need to add the report to a dashboard using the Add to Dashboard button. We need to ensure that “Panel Powered By” is set to Report.
As well as the timechart shown above we can create additional single value reports that display the current price, minimum upcoming price and maximum upcoming price. Take care to ensure all the permissions are correctly set.
Login as the “dom” user and navigate to the dashboard – voila!
We’ve added an annotation to the timechart above (the big orange flag) so that “dom” can easily see where in the pricing graph we currently are. Next week’s tip will show you how to easily add an annotation.
For 2021 we’ve committed to posting a new Splunk tip every week!
If you want to keep up to date on tips like the one above then sign up below:
Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.