Configure users and roles
Splunk Enterprise Security uses the Access Control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular access control for your organization.
The Splunk platform supports several methods of user authentication:
- The Splunk platform built-in user authentication system.
- User authentication using LDAP and Active Directory. For more information, see Set up user authentication with LDAP.
- Scripted authentication API: Use scripted authentication to tie authentication requests to an external authentication system, such as RADIUS or PAM. For more information, see Set up user authentication with external systems.
- Single Sign-on: For more information, see About Splunk single sign-on.
Important: The Splunk platform built-in user authentication takes precedence over any configured external authentication.
Configure user roles
Splunk Enterprise Security adds three required roles, preconfigured with capabilities. The roles were created to assist in assigning users specific access to functions in Enterprise Security. The Splunk platform administrator must assign groups of users to roles that best fit the tasks the users will perform and manage within Enterprise Security. There are three categories of users:
- Security Director: Reviews the Security Posture, Protection Centers, and Audit dashboards in order to understand current Security Posture of the organization. A security director will not configure the product or manage incidents.
- Security Analyst: Uses the Security Posture and Incident Review dashboards to manage and investigate Security Incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They will also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions.
- Solution Administrator: Installs and maintains Splunk platform installations and Splunk Apps. This user is responsible for configuring workflows, on-boarding new data sources, and tuning and troubleshooting the application.
Each user type requires different levels of access to perform their assigned functions. The table below shows the user category matched to an Enterprise Security role.
|Role||Security Director||Security Analyst||Solution Administrator|
Splunk Enterprise Security defines 3 custom roles:
|Role||Inherits from role||Added capabilities||Accepts user assignment|
||user||real time search||Yes.|
Replaces the "user" role for ES users.
||user, ess_user, power||inherits
Replaces the "power" role for ES users.
||user, ess_user, power, ess_analyst||inherits
You must use the "admin" role to administer an Enterprise Security installation.
||user, ess_user, power, ess_analyst, ess_admin||All||Yes.|
Important: The ess_admin role is assigned all ES specific capabilities, but does not inherit Splunk platform admin capabilities. You must use the "admin" role to administer an Enterprise Security installation.
All role inheritance is preconfigured in Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see Add and edit roles and Securing Splunk in the Securing Splunk Enterprise Manual.
Adding capabilities to a role
Enterprise Security implements custom features on the Splunk platform. To control access to those features, additional capabilities are assigned to the Enterprise Security defined roles. To review and change the capabilities assigned to a role, use the Permissions UI in ES.
- On the Enterprise Security menu bar, open Configure > General
- Select Permissions.
- Find the role you want to update.
- Find the ES Component you want to add.
- Enable the component for the role.
List of capabilities in ES
|ES Feature||Capability||Set in Permissions UI|
|Create New Notable Events||edit_tcp
|Edit Correlation Searches||edit_correlationsearches
|Edit ES Navigation||edit_es_navigation||Yes|
|Edit Identity Lookup Configuration||edit_identitylookup||Yes|
|Edit Incident Review||edit_log_review_settings||Yes|
|Edit Notable Event Statuses||edit_tcp
transition_reviewstatus-X to Y
|Edit Notable Event Suppressions||edit_suppressions||Yes|
|Edit Notable Events||edit_notable_events
|Edit Per Panel Filters||edit_per_panel_filters||Yes|
|Edit Threat Intelligence||edit_modinput_threatlist||Yes|
|Own Notable Events||can_own_notable_events||Yes|
|Export content||edit_correlationsearches||Yes. Use Edit Correlation Searches.|
Adjust the concurrent searches for a role
Splunk Enterprise defines a limit on concurrently running searches for the
power roles by default. After you install Enterprise Security, review the limits for roles and change as desired. On the Enterprise Security menu bar, open to Configure > General and select General Settings.
|Search Disk Quota (admin)||The maximum disk space (MB) a user assigned the admin role can use to store search job results.|
|Search Jobs Quota (admin)||The maximum number of concurrent searches for users assigned the admin role.|
|Search Jobs Quota (power)||The maximum number of concurrent searches for users assigned the power role.|
To change the limits for roles other than
power, update the default search quota manually by editing the
authorize.conf file. Edit the file at
$SPLUNK_HOME/etc/system/local/authorize.conf and set
srchJobsQuota for each role.
[role_user] srchJobsQuota = 15
Configure the roles to search multiple indexes
Data sources being ingested by Splunk Enterprise are stored in multiple indexes. Distributing data into multiple indexes allow for role based access control and varying retention policies in data sources.
Splunk configures all roles to search only in the
main index by default. To enable the searching of multiple indexes, manually assign the indexes that contain relevant security data to each ES role. To access the Role management page, on the Splunk Enterprise menu bar open Settings > Access Controls and select Roles. If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update and display results.
Note: When adding indexes to a role, do not include summary indexes as this can cause a search and summary index loop.
Configure and deploy indexes
Configure data models
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4