Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement!...
Transcript of Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement!...
![Page 1: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/1.jpg)
Copyright © 2014 Splunk Inc.
Sanford Owings Principal Consultant, Splunk
Cura@ng User Experience
![Page 2: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/2.jpg)
Disclaimer
2
During the course of this presenta@on, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cau@on you that such statements reflect our current expecta@ons and
es@mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presenta@on are being made as of the @me and date of its live presenta@on. If reviewed aPer its live presenta@on, this presenta@on may not contain current or accurate informa@on. We do not assume any obliga@on to update any forward-‐looking statements we may make. In addi@on, any informa@on about our roadmap outlines our general product direc@on and is subject to change at any @me without no@ce. It is for informa@onal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obliga@on either to develop the features or func@onality described or to
include any such feature or func@onality in a future release.
![Page 3: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/3.jpg)
Agenda
! Problem Statement ! Controlling What Users Can See ! Corralling^W Guiding Users to Their Data ! Smoothing Workflow ! Profit!
3
![Page 4: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/4.jpg)
What’s the Issue?
4
![Page 5: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/5.jpg)
Business is Good!
5
! Increased adop@on of Splunk has brought a wider variety of users to the Splunk UI in search of the virtues of Big Data
![Page 6: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/6.jpg)
Why Is That a Problem?
6
! Poorly wri\en searches can impair other user’s ability to use the system
! Search language can be hard to pick up ! These “business” users may not have the @me to sort through events, instead they want to see results – Splunk centers of exper@se may be burdened with dashboard/search
requests by users
![Page 7: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/7.jpg)
How to Mi@gate These Factors?
7
! Use roles to dis/allow access to data ! Provide some curated content ! Keep users in a walled garden
![Page 8: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/8.jpg)
Scenario
8
![Page 9: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/9.jpg)
Sample Environment firewall
weblogs Windows
bro
msad
![Page 10: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/10.jpg)
Sample Environment firewall
weblogs Windows
bro
msad
Windows Admins
Web Admins Network Admins
Managers
![Page 11: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/11.jpg)
Scenario Descrip@on
11
! Windows administrators should default to seeing Windows events – Ok to see msad index, but not by default – Windows Infrastructure app installed
! Web admins should default to seeing web events – Some summary dashboards and forms are available
! Managers should ONLY see web events – Preferably no access to search bar, summary dashboards only
! Network admins need to search bro, msad, and firewall indexes by default – Network admins can also see all other indexes
![Page 12: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/12.jpg)
Building Blocks – Roles
12
![Page 13: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/13.jpg)
Roles
13
! Roles are a handle for referring to a user/group of users ! Access permissions applied to roles ! User capabili@es defined by roles ! Can place limits on a user’s use of resources
![Page 14: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/14.jpg)
Making Use of Roles
14
! Define the role – Set limits, capabili@es and access
! Apply access rules on applica@on content ! Note that most roles inherit “user”, which has ability to search all indexes!
! A user’s capabili@es are the union of all of their access permissions
![Page 15: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/15.jpg)
Protec@ng Data
15
![Page 16: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/16.jpg)
Sample Environment firewall
weblogs Windows
bro
msad
Windows Admins
Web Admins Network Admins
Managers
win_admins web_users net_admins
![Page 17: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/17.jpg)
Splunk UI Role Management (Indexes)
17
![Page 18: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/18.jpg)
Scenario Roles (authorize.conf)
18
[role_win_admins]!importRoles = user!srchIndexesAllowed = windows;msad!srchIndexesDefault = windows!
[role_net_admins]!importRoles = user!srchIndexesAllowed = *!srchIndexesDefault = bro;firewall;msad!
[role_web_users]!importRoles = user!srchIndexesAllowed = weblogs!srchIndexesDefault = weblogs!
Web Admins Managers
Windows Admins
Network Admins
![Page 19: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/19.jpg)
Validate Accesses
19
! Who can see what? ! | rest /services/authoriza@on/roles ! imported_srchIndexesAllowed vs. srchIndexesAllowed ! Check out governance app ! h\p://apps.splunk.com/app/1866
![Page 20: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/20.jpg)
Search Results – REST API (roles)
20
![Page 21: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/21.jpg)
Fix Inherited Role
21
We can clone the user role and base the capabili@es off of that, or simply adjust it so that it doesn’t confer too much privilege
![Page 22: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/22.jpg)
Desired Constraints
22
![Page 23: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/23.jpg)
Cura@ng Content
23
![Page 24: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/24.jpg)
Constraining Users != Bad ! Guiding users to the content they want is not a bad thing – saves everybody @me
! Simple dashboards and form searches can go a long way to giving users what they’re looking for
! “index=*” on a constrained set is not going to overwhelm indexers (as much)
! Consider building a data model, allowing users to pivot
![Page 25: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/25.jpg)
“How Do I Find…?”
25
! Start a search, save as … Dashboard Panel
! Avoids icky search – admin writes a reasonable one, reuses for user content
![Page 26: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/26.jpg)
“Now What About …?”
26
! Instead of rewri@ng searches, allow the user to drive with input ! Convert search to a form (Edit Panels -‐> Add Input)
Search string may have to be adjusted to account for use of tokens
![Page 27: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/27.jpg)
“Where’s That Form…?”
27
! Modify the naviga@on menu to make custom content easier for users to find
! Sewngs > User Interface > Naviga@on Menus
![Page 28: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/28.jpg)
Walled Garden Sowing Content
28
![Page 29: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/29.jpg)
Linking Shared Content Together
29
! Create a separate app (namespace) ! Users looking for this content can find it all in one place (UI nav)
! Apps > Manage Apps > Create app
![Page 30: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/30.jpg)
Migrate or Create Content for App
30
! Exis@ng dashboards/views can be relocated to the new app
! Other content can be moved as well
![Page 31: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/31.jpg)
De-‐clu\er
31
! App menu now contains new content ! Apps geared towards admins/ superusers s@ll visible to everyone
! Set app permissions
Your applica@on name here
![Page 32: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/32.jpg)
Control App Viewership
32
! Permissions on an app govern whether it even shows up
! Many apps default to “Read by Everyone”
![Page 33: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/33.jpg)
The Walls Go Up….
33
! Reduce confusion – By limi@ng access to apps, the user is guided to their content – Some apps may not work without special access to data, so dashboards
would be blank
! S@ll requires that user select the target app
![Page 34: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/34.jpg)
Welcome to the Garden
34
! Role-‐based way to set “landing” app? ! Saves users trouble of selec@ng app menu
– Some sites may even hide the app menu, making direct placement into the app key
! Set at role level ! Sewngs > Access Control > Roles
![Page 35: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/35.jpg)
Advanced Considera@ons
35
![Page 36: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/36.jpg)
Mul@ple Search Heads
36
! Role enforcement is done by the search head – Trust rela@onship with indexer is host-‐based!
! Keep role defini@ons (and membership) consistent! – Ensure that a user can’t see data they shouldn’t simply by logging in to a
different search head
! authorize.conf contains role mappings, share with DS / Puppet / Chef, etc.
![Page 37: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/37.jpg)
LDAP/AD Integra@on ! Map LDAP / AD group membership to Splunk roles
– Creden@als in LDAP ! Another way to keep group / role membership consistent ! Documenta@on
– h\p://docs.splunk.com/Documenta@on/Splunk/latest/admin/Authen@ca@onconf
! Splunk Blog – h\p://blogs.splunk.com/2009/08/13/ldap-‐auth-‐configura@on-‐@ps/
![Page 38: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/38.jpg)
Summary
![Page 39: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/39.jpg)
Wrapping Up ! Restric@ng access to data requires a separate index, and separate roles
! Providing a basic search in the shape of a form helps users find data without being bogged down in Splunk search language – Can insulate against “expensive” searches
! Keeping users within specific apps can help guide them to data more quickly – Less confusion about what app to select, where to find the dashboard(s) – Group like content together, set as default app
![Page 40: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/40.jpg)
Resources – Splunk Docs
40
! h\p://docs.splunk.com/Documenta@on/Splunk/latest/Admin/Authorizeconf (authorize.conf – roles)
! h\p://docs.splunk.com/Documenta@on/Splunk/latest/Admin/Defaultmetaconf (default.meta, local.meta – permissions)
! h\p://docs.splunk.com/Documenta@on/Splunk/latest/Admin/ConfigureSplunktoopeninanapp (default applica@on)
![Page 41: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/41.jpg)
Resource – Splunk App
41
! (Data) Governance app – h\p://apps.splunk.com/app/1866 – Who can see which indexes? – What capabili@es do users have? – What apps do users have visibility to?
![Page 42: Curang*User* Experience* - conf.splunk.com · Agenda! Problem*Statement! Controlling*WhatUsers*Can*See*! Corralling^W*Guiding*Users*to*Their*Data! Smoothing*Workflow*! Profit!*](https://reader030.fdocuments.us/reader030/viewer/2022040708/5e0a4d4c213a217f587ff06b/html5/thumbnails/42.jpg)
THANK YOU