Configure Splunk AR roles and permissions
You can grant users the ability to view, edit, or manage specific objects in the Splunk App for AR Roles tab. You can customize the capabilities and object access that a role has.
Default settings
By default, users with the ar_admin role have all Splunk AR class capabilities. Users with the ar_user role have read access to all objects, unless defined otherwise by the object access settings. You can define object access rules to manage which users can access specific objects.
Users must have the user role in Splunk web to view any AR data.
Permissions management capabilities
Users with the edit_roles capability can create, remove, or edit roles.
Users with the ar_edit_roles capability can add or remove object access in existing roles.
You can assign the edit_roles or ar_edit_roles capabilities to a user role in Splunk Web. See Add or edit a role in the Securing the Splunk Platform manual.
Settings page capabilities
Users must have the ar_admin role or the following capabilities to use the Settings tab of Splunk AR. To learn more about the Settings tab, see Configure Splunk AR.
Settings page capability | Description |
---|---|
ar_migrate_deployment_data | Users can download and import Splunk AR deployment data. To learn more about downloading and importing Splunk AR deployment data, see Migrate Splunk AR deployment data. |
edit_phantom_configuration | Users can configure a Splunk Phantom instance to use Workflow Automation with Splunk AR. To learn more about Workflow Automation, see Enable Splunk AR Workflow Automation. |
ar_manage_server_settings | Users can configure app-wide settings for the Splunk App for AR. |
Class capabilities
Splunk AR class capabilities define how users can interact with a certain class of objects.
Splunk AR comes with the following class capabilities:
Class capability | Description |
---|---|
asset_read | Users can view individual assets in the Splunk App for AR. They can view what data is associated with each asset. |
asset_write | Users can view and edit individual asset data in the Splunk App for AR. They can choose what data to associate with an asset. |
asset_manage | Users can register and unregister individual assets, and choose what data to associate. To move assets in and out of groups, the user must have asset_manage and asset_group_manage. |
asset_group_read | Users can view asset groups in the Splunk App for AR. They can view what data is associated with each asset group. |
asset_group_write | Users can view asset groups in the Splunk App for AR. They can view and edit data that's associated with each asset group. |
asset_group_manage | Users can register and unregister asset groups, and choose what data to associate. To move assets in and out of groups, the user must have asset_manage and asset_group_manage. |
workspace_read | Users can view AR workspaces and their associated data. |
workspace_write | Users can view AR workspaces, adjust visualizations, and choose what data to associate with a workspace in the Splunk AR mobile app or the Splunk App for AR. |
workspace_manage | Users can create new workspaces, delete workspaces, view AR workspaces, adjust visualizations, and choose what data to associate with a workspace in the Splunk AR mobile app or the Splunk App for AR. |
note_read | Users can view notes. |
note_write | Users can view notes and edit notes. |
note_manage | Users can view, edit, adjust, delete, and create workspace notes. |
beacon_read | Users can detect nearby beacons and view associated dashboards in the Splunk AR mobile app. |
beacon_write | Users can associate beacons with dashboards, detect nearby beacons, and view associated dashboards in the Splunk AR mobile app. |
beacon_manage | Users can add beacons, remove beacons, associate beacons with dashboards, detect nearby beacons, and view associated dashboards in the Splunk AR mobile app. |
geofence_read | Users can detect nearby geofences and view associated dashboards in the Splunk AR mobile app. |
geofence_write | Users can associate geofences with dashboards, detect nearby geofences, and view associated dashboards in the Splunk AR app. |
geofence_manage | Users can create geofences, remove geofences, associate geofences with dashboards, detect nearby geofences, and view associated dashboards in the Splunk AR app. |
playbook_read | Users can run Splunk Phantom playbooks in AR workspaces as part of Workflow Automation. |
playbook_write | Users can edit Splunk Phantom playbooks in AR workspaces as part of Workflow Automation. |
playbook_manage | Users can add, remove, reposition, and edit Splunk Phantom playbooks in AR workspaces as part of Workflow Automation. |
Object access
When creating a role, define object access to manage which users can access specific objects.
To define object access, Splunk AR mobile users must use Splunk AR version 2.3.0 or later.
Splunk AR object classes include the following:
- Assets
- Asset groups
- Workspaces
- Beacons
- Geofences
- Notes and media
- Playbooks
Object access precedence
If a user is a member of a role that has a class capability, that capability applies to any objects that aren't referenced in other roles. If you create roles that define access to a particular object, then the user have those roles to access the object.
For example, say you create role_1 with the workspace_read capability. Then you assign role_1 to a user. role_1 has the workspace_read capability, so the user has read access to all workspaces that aren't restricted by other roles, such as workspace_1 .
Now suppose you create role_2 with read access to workspace_1. Now the user doesn't have access to workspace_1, unless you assign role_2 to the user.
Configure Splunk AR roles and permissions
Configure Splunk AR permissions by editing or creating roles and assigning them to users in the Splunk App for AR 'Roles tab. You can edit roles by adding or removing class capabilities and objects access. Or you can create a role and define its class capabilities and objects access.
Prerequisites
Complete the following steps before configuring Splunk AR permissions:
- Install the Splunk App for AR.
- Have the ar_admin role or the edit_roles capability.
- Make sure that the Splunk AR mobile app users are using Splunk AR version 3.0.0 or higher.
Create a role
- In the Splunk App for AR, navigate to the Roles tab.
- Click Roles.
- Click +Add Role.
- Name the role.
- (Optional) Select existing roles to inherit. The role that you're creating will have the same class capabilities and object access as the roles you select to inherit.
- Click Continue.
- Select the class capabilities that you want the role to have.
- Click Continue.
- Select the objects that you want the role to have access to.
- Click Continue.
- Click Save.
Edit roles
- In the Splunk App for AR, navigate to the Roles tab.
- Click the edit icon next to a role to edit it.
- Click Edit next to Inheritance, Class Capabilities, or Object Access to edit the role.
- Click Save.
Assign roles to users
After editing or creating Splunk AR roles, assign the roles to users. See Create and manage roles with Splunk Web in the Securing the Splunk Platform manual.
PREVIOUS Get data into Splunk AR using a Raspberry Pi |
NEXT Associate objects with dashboards in the Splunk App for AR with asset tags |
This documentation applies to the following versions of Splunk® App for Edge Hub and Augmented Reality: 1.10.0, 1.2.0, 1.2.1, 1.3.0, 1.4.1
Feedback submitted, thanks!