Set up roles and capabilities for Splunk Asset and Risk Intelligence
After you initialize data for Splunk Asset and Risk Intelligence, you can start adding roles and assigning users to those roles to manage access to functionality and data in Splunk Asset and Risk Intelligence. You can also delete a role if you no longer need it.
Add a role
You can add roles, such as those included with Splunk Asset and Risk Intelligence or those you create yourself. To add a role, complete the following steps:
- Select Admin and then Permission settings.
- Select Add role capabilities.
- Using the Role drop-down list, select the role you want to add. For example, you can select the user role, which is automatically included with Splunk Asset and Risk Intelligence. Or, if you created a custom role in the Splunk platform, you can select that role.
- Select the check boxes for the capabilities you want to include with the role.
- Select Add.
Roles included in Splunk Asset and Risk Intelligence
There are two roles included with Splunk Asset and Risk Intelligence: user and ari_admin. The following table describes each role and lists any roles from the Splunk platform that can inherit it.
Role | Description | Roles that can inherit it |
---|---|---|
user | Assign to users who need to access analyst menus for tasks such as investigating assets and assessing risk. Those with the user role have access to search only the ari_asset index. | power |
ari_admin | Assign to users who need to access administrative menus for tasks such as managing data sources, customizing metrics, and searching all Splunk Asset and Risk Intelligence indexes. | admin |
On the Permission settings page, you can find the ari_admin role set up with several Splunk Asset and Risk Intelligence capabilities by default. To edit the capabilities for this role, see Manage capabilities for a role.
Assign roles to users
To assign roles to Splunk Asset and Risk Intelligence users, you must have the Splunk platform sc_admin or admin role. From the Splunk platform, select Settings and then Roles to create, assign, and manage roles. For more information, see Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual.
If you have an admin role in a Splunk security product, you can add users and manage their roles and capabilities across Splunk security products all from one location in Splunk Cloud Platform.
Manage capabilities for a role
Splunk Asset and Risk Intelligence has several capabilities specific to the functionality in the app. To customize what users have access to, you can add and remove particular capabilities to and from roles. To add or remove capabilities to or from an existing role, complete the following steps:
- Select Admin and then Permission settings.
- In the actions column of the capabilities table, select the edit icon ( ) for the role you want to edit.
- Select or deselect the check boxes for the capabilities you want to add or remove.
- Select Update.
Capabilities in Splunk Asset and Risk Intelligence
The following table describes each capability:
Capability | Description |
---|---|
ari_dashboard_add_alerts | Create alerts based on metric defects shown on the Metrics posture page. |
ari_edit_table_fields | Edit the fields displayed in tables across the Discovery, Metrics, and Investigation pages. |
ari_manage_data_source_settings | Add, report, and manage data sources on the Data source management page. To add this capability, you must first add the admin_all_objects capability from Splunk Web. See Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual. |
ari_manage_filters | Edit and delete saved filters. |
ari_manage_homepage_settings | Edit the dashboard on the home page. |
ari_manage_metric_settings | Create, remove, and edit metrics on the Metric framework management page. To add this capability, you must first add the admin_all_objects capability from Splunk Web. See Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual. |
ari_manage_posture_settings | Add and remove metrics from the Metrics posture page. |
ari_manage_report_exceptions | Add and remove metric exceptions. |
ari_save_filters | Save custom filters and share with other users. |
Delete a role
To remove a role and its configured capabilities from Splunk Asset and Risk Intelligence, complete the following steps:
- Select Admin and then Permission settings.
- Find the role you want to delete, and then select the delete icon (x).
- Select Delete to confirm that you want to remove it.
Initialize data for Splunk Asset and Risk Intelligence | Uninstall Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!