Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure users and roles

Splunk Enterprise Security uses the Access Control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular access control for your organization.


The Splunk platform supports several methods of user authentication:

Important: The Splunk platform built-in user authentication takes precedence over any configured external authentication.

Configure user roles

Splunk Enterprise Security adds three required roles, preconfigured with capabilities. The roles were created to assist in assigning users specific access to functions in Enterprise Security. The Splunk platform administrator must assign groups of users to roles that best fit the tasks the users will perform and manage within Enterprise Security. There are three categories of users:

  • Security Director: Reviews the Security Posture, Protection Centers, and Audit dashboards in order to understand current Security Posture of the organization. A security director will not configure the product or manage incidents.
  • Security Analyst: Uses the Security Posture and Incident Review dashboards to manage and investigate Security Incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They will also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions.
  • Solution Administrator: Installs and maintains Splunk platform installations and Splunk Apps. This user is responsible for configuring workflows, on-boarding new data sources, and tuning and troubleshooting the application.

Each user type requires different levels of access to perform their assigned functions. The table below shows the user category matched to an Enterprise Security role.

Role Security Director Security Analyst Solution Administrator
ess_user capabilities RoundCheckMark.png
ess_analyst capabilities RoundCheckMark.png
admin capabilities RoundCheckMark.png

Splunk Enterprise Security defines 3 custom roles:

Role Inherits from role Added capabilities Accepts user assignment
ess_user user real time search Yes.
Replaces the "user" role for ES users.
ess_analyst user, ess_user, power inherits ess_user and adds: create, edit, and own notable events and perform all transitions Yes.
Replaces the "power" role for ES users.
ess_admin user, ess_user, power, ess_analyst inherits ess_analyst and adds: edit correlation searches and edit review statuses No
You must use the "admin" role to administer an Enterprise Security installation.
admin user, ess_user, power, ess_analyst, ess_admin All Yes.

Important: The ess_admin role is assigned all ES specific capabilities, but does not inherit Splunk platform admin capabilities. You must use the "admin" role to administer an Enterprise Security installation.

Role inheritance

All role inheritance is preconfigured in Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see "Add and edit roles" and "Securing Splunk" in the Securing Splunk Enterprise Manual.

Adding capabilities to a role

Enterprise Security implements custom features on the Splunk platform. To control access to those features, additional capabilities are assigned to the Enterprise Security defined roles. To review and change the capabilities assigned to the ess_analyst or ess_analyst roles, on the Enterprise Security menu bar, open Configure > General and select Permissions.

List of capabilities in ES

ES Feature Capability Set in Permissions UI
Create New Notable Events edit_tcp
Edit Correlation Searches edit_correlationsearches
Edit ES Navigation edit_es_navigation Yes
Edit Identity Lookup Configuration edit_identitylookup Yes
Edit Incident Review edit_log_review_settings Yes
Edit Lookups edit_lookups Yes
Edit Notable Event Statuses edit_tcp
transition_reviewstatus-X to Y
Edit Notable Event Suppressions edit_suppressions Yes
Edit Notable Events edit_notable_events
Edit Per Panel Filters edit_per_panel_filters Yes
Edit Threat Intelligence edit_modinput_threatlist Yes
Edit Timelines edit_timelines Yes
Own Notable Events can_own_notable_events Yes
Manage Configurations edit_managed_configurations Yes
Credential Manager admin_all_objects No
Export content edit_correlationsearches Yes. Use Edit Correlation Searches.

Adjust the concurrent searches for a role

Splunk Enterprise defines a limit on concurrently running searches for the user and power roles by default. After you install Enterprise Security, review the limits for roles and change as desired. On the Enterprise Security menu bar, open to Configure > General and select General Settings.

Item Description
Search Disk Quota (admin) The maximum disk space (MB) a user assigned the admin role can use to store search job results.
Search Jobs Quota (admin) The maximum number of concurrent searches for users assigned the admin role.
Search Jobs Quota (power) The maximum number of concurrent searches for users assigned the power role.

To change the limits for roles other than admin and power, update the default search quota manually by editing the authorize.conf file. Edit the file at $SPLUNK_HOME/etc/system/local/authorize.conf and set srchJobsQuota for each role. Example:

   srchJobsQuota = 15

Configure the roles to search multiple indexes

Data sources being ingested by Splunk Enterprise are stored in multiple indexes. Distributing data into multiple indexes allow for role based access control and varying retention policies in data sources.

Splunk configures all roles to search only in the main index by default. To enable the searching of multiple indexes, manually assign the indexes that contain relevant security data to each ES role. To access the Role management page, on the Splunk Enterprise menu bar open Settings > Access Controls and select Roles. If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update and display results.

Note: When adding indexes to a role, do not include summary indexes as this can cause a search and summary index loop.

For more details on changing a role, see "Set up multiple indexes" and "Add users and assign roles" in the Splunk Enterprise manuals.

Last modified on 27 March, 2017
Configure and deploy Indexes
Configure data models

This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters