Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Manage roles and permissions in

Roles in serve the following purposes:

  • Grant users permission to access system functionality, or restrict access to parts of the system.
  • Act as a mechanism for grouping users for approvals. See Approve actions before they run in in the Use manual.

View your roles

To view the roles configured in your instance, perform the following steps to access the Roles page:

  1. From the Home menu, select Administration.
  2. Select User Management. then Roles & Permissions.

includes the following default roles that can't be edited or deleted:

Role Description
Administrator Users with this role have view, edit, and delete privileges to and can access all functions and settings:
  • By default, the user name associated with the administrator role is soar_local_admin.
  • View, edit, and delete permissions for everything
  • Manage users and accounts
  • Change any and all settings
  • Install or remove apps or connectors
  • Create, edit, and delete Assets
  • Create, edit, and delete workbooks
  • Create, edit, run, and delete playbooks
Asset Owner Users with this role can:
  • Create, edit, and delete assets
  • View apps or connectors, events, custom lists, playbooks, system settings, and users and roles.
Automation This is a service account role used for automated tasks including REST API operations, playbook execution, and ingestion.
Automation Engineer Users with this role can:
  • View, run, edit playbooks, and can edit playbook code
  • View apps, assets, custom lists, events, system settings, and users and roles
Incident Commander Users with this role can:
  • Create, edit, and delete cases
  • Create, edit, delete, run, or edit the code for playbooks
  • View and edit events
  • Create, edit, and delete workbooks
  • View apps, assets, system settings, and users and roles
Observer Users with this role can view everything except workbooks, but cannot edit or run anything.
OnPrem Broker This is a service account that allows the Automation Broker to view apps.

This role is assigned to a user account with a name that looks like onprem_integration_<auto-generated-id-string>. Onprem_integration users are created when you pair an instance of the Splunk SOAR Automation Broker with your Splunk SOAR (On-premises) deployment. These users do not count against a seat-based license.

Users granted multiple roles have the cumulative privileges of all the roles. You can also restrict access to specific named objects. See Named object permissions.

For deployments using the multitenancy feature, see the section Configure permissions for tenants and assets in Splunk SOAR (On-premises) in Configure multiple tenants on your Splunk SOAR (On-premises) instance.

Add a role to

Perform the following steps to add a new role in :

  1. From the Home menu, select Administration.
  2. Select User Management. then Roles & Permissions.
  3. Select + Role.
  4. Enter a name for the role.
  5. (Optional) Enter a description for the role.
  6. Select the Basic Permissions provided by this role.
    Component Permission and Description
    • Select Edit to allow the user to add or delete apps, or edit settings on individual apps.
    • Select View to allow the user to view the list of installed apps, and view the settings for individual apps.
    • Select Delete to allow the user to delete assets. Note that the user will also need view assets in order to see the asset before they can edit it.
    • Select Edit to allow the user add and edit assets.
    • Select View to allow the user the ability to look at the list of assets and individual asset configurations.
    Automation Broker
    • Select Delete to allow the user to delete Automation Brokers.
    • Select Edit to allow the user to create and edit Automation Brokers.
    • Select View to allow the user to view Automation Brokers.
    • Select Delete to allow the user to delete cases.
    • Select Edit to allow the user to create and edit cases.
    • Select View to allow the user to view cases.
    • Select Delete to allow the user to delete events.
    • Select Edit to allow the user to modify events. This includes data about the event itself (assigned owner, SLA) as well as being able to add items to artifacts and files.
    • Select View to allow the user to view events. This includes both the list of events, as well as the contents of individual events.
    Custom Lists
    • Select Delete to allow the user to delete custom lists.
    • Select Edit to allow the user to create and edit custom lists.
    • Select View to allow the user to view custom lists.
    • Select Delete to allow the user to delete playbooks.
    • Select Edit to allow the user to edit playbooks, including modifying the playbook settings such as logging, active, safe mode, and draft mode. For more information on playbook settings, see Manage settings for a playbook in in the Build Playbooks with the Visual Editor manual.
    • Select View to allow the user to use Action blocks in playbooks.
    • Select Execute to allow the user to execute playbooks on events.
    • Select Edit Code to allow playbook authors to manually edit Python code and customize code blocks. Authors without this permission can only use the visual block editor.
    • Select Delete to allow the user to delete workbooks. Note that the user will also need view workbooks in order to see a workbook before they can edit it.
    • Select Edit to allow the user add and edit workbooks.
    • Select View to allow the user the ability to look at the list of workbooks.
    System Settings
    • Select Edit to allow the user to change System Settings.

      The System Settings include authentication servers. Users with edit system settings have the ability to perform a privilege escalation attack.

    • Select View to allow the user to view system settings.
    Users and Roles
    • Select Edit to allow the user to edit, delete and add users and roles. Security note: a user with Edit permission can grant themselves all other privileges. They should be considered equivalent to an administrator.
    • Select View to allow the user to view users and roles, including what role each user has, email addresses, and last login time.
  7. Select Label Permissions to configure label permissions for this role. The labels you see in the table depend on the labels you have defined on your instance. See Create additional custom status labels in . The following permissions can be configured:
    Permission Description
    Delete The user can delete any object in that has this label. Selecting this automatically grants the Edit and View permissions.
    Edit The user can edit any object in that has this label. Selecting this automatically grants the View permission.
    View The user can view any object in with this label, but cannot modify or delete any such objects.
  8. Select Repository Permissions to configure repository permissions for this role. The repositories you see in the table depend on the repositories configured on your instance. See Configure a source control repository for your playbooks. The following permissions can be configured:
    Permission Description
    Delete The user can delete any playbook in this repository. Selecting this automatically grants the Edit and View permissions.
    Edit The user can edit any playbook in this repository. Selecting this automatically grants the View permission.
    View The user can view any playbook in this repository, but cannot modify or delete any playbooks.
    Execute The user can run any playbook in this repository.
  9. Select Create Role.

Add users to a role in

Perform the following steps to add users to a role in :

  1. From the Home menu, select Administration.
  2. Select User Management. then Roles & Permissions.
  3. Select the role you want to edit and add users to.
  4. Select Add Users.
  5. Select a user from the drop-down list, or start typing a username to filter the users that are displayed.
  6. Select Add.
  7. Repeat and continue adding users as desired. Each time a user is added, the user card appears in the Users field in the role.

For information on viewing roles and permissions for a specific user, see Configure user permissions in the Manage users article.

Edit a role in

Perform the following steps to edit a role:

  1. From the Home menu, select Administration.
  2. Select User Management. then Roles & Permissions.
  3. Select a custom role you want to modify. You can modify any of the permissions in a custom role, add users or remove users. When editing a system role, you can only add or remove users.
    • Users added to a role have their permissions saved in real time, before you select Save Changes.
    • Permission changes to roles are applied in real time to the users who are granted the updated permissions, before you select Save Changes.
    • Users inheriting roles from an SSO provider must log out and log back in to to see their updated permissions.
  4. Select Save Changes.

Delete a role in

Perform the following tasks to delete a role in :

  1. From the Home menu, select Administration.
  2. Select User Management. then Roles & Permissions.
  3. Select the role you want to delete.
  4. Select Delete Role.
  5. Select Delete to confirm that you want to delete the role.
Last modified on 15 May, 2024
Manage users   Configure password requirements and timeout intervals to secure your accounts

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.2, 6.3.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters