Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure users and roles

Splunk Enterprise Security uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular access control for your organization.


The Splunk platform supports several methods of user authentication:

Important: The Splunk platform built-in user authentication takes precedence over any configured external authentication.

Configure user roles

Splunk Enterprise Security adds three new roles in addition to the default roles provided by the Splunk platform. The new roles allow a splunk administrator to assign access to specific functions in ES based on the users access requirements. The Splunk platform administrator will assign groups of users to the roles that best fit the tasks the users will perform and manage within Enterprise Security. There are three categories of users:

  • Security Director: Reviews the Security Posture, Protection Centers, and Audit dashboards in order to understand current Security Posture of the organization. A security director will not configure the product or manage incidents.
  • Security Analyst: Uses the Security Posture and Incident Review dashboards to manage and investigate Security Incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They will also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions.
  • Solution Administrator: Installs and maintains Splunk platform installations and Splunk Apps. This user is responsible for configuring workflows, on-boarding new data sources, and tuning and troubleshooting the application.

Each user type requires different levels of access to perform their assigned functions. The table below shows which roles in Enterprise Security are suitable match for a user category.

Role assignment Security Director Security Analyst Solution Administrator
ess_user RoundCheckMark.png
ess_analyst RoundCheckMark.png
admin RoundCheckMark.png

Splunk Enterprise Security defines 3 custom roles. Two of the roles are for user assignment, and the ess_admin role is inherited by the Splunk platform admin role.

Enterprise Security role Inherits from role Added capabilities Accepts user assignment
ess_user user real time search Yes.
Replaces the user role for ES users.
ess_analyst user, ess_user, power inherits ess_user and adds: create, edit, and own notable events and perform all transitions Yes.
Replaces the power role for ES users.
ess_admin user, ess_user, power, ess_analyst inherits ess_analyst and adds: edit correlation searches and edit review statuses No
You must use a Splunk platform admin role to administer an Enterprise Security installation.

The Splunk platform admin role inherits all unique ES capabilities. In a Splunk Cloud deployment, the Splunk platform admin role is named sc_admin. Use the admin or sc_admin role to administer an Enterprise Security installation.

Splunk platform role Inherits from role Added capabilities Accepts user assignment
admin user, ess_user, power, ess_analyst, ess_admin All Yes.
sc_admin user, ess_user, power, ess_analyst, ess_admin All Yes.

Role inheritance

All role inheritance is preconfigured in Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see Add and edit roles and Securing Splunk in the Securing Splunk Enterprise Manual.

Adding capabilities to a role

Enterprise Security implements custom features on the Splunk platform. To control access to those features, additional capabilities are assigned to the Enterprise Security defined roles. Use the Permissions page in Enterprise Security to review and change the capabilities assigned to a role.

  1. On the Enterprise Security menu bar, open Configure > General
  2. Select Permissions.
  3. Find the role you want to update.
  4. Find the ES Component you want to add.
  5. Enable the component for the role.
  6. Save.

List of capabilities in ES

ES Feature Capability Set in Permissions UI
Create New Notable Events edit_tcp
Edit Correlation Searches edit_correlationsearches
Edit ES Navigation edit_es_navigation Yes
Edit Identity Lookup Configuration edit_identitylookup Yes
Edit Incident Review edit_log_review_settings Yes
Edit Lookups edit_lookups Yes
Edit Notable Event Statuses edit_tcp
transition_reviewstatus-X to Y
Edit Notable Event Suppressions edit_suppressions Yes
Edit Notable Events edit_notable_events
Edit Per Panel Filters edit_per_panel_filters Yes
Edit Threat Intelligence edit_modinput_threatlist Yes
Edit Timelines edit_timelines Yes
Manage Configurations edit_managed_configurations Yes
Own Notable Events can_own_notable_events Yes
Search Driven Lookups edit_managed_configurations
Credential Manager admin_all_objects No
Export content edit_correlationsearches Yes. Use Edit Correlation Searches.

Adjust the concurrent searches for a role

Splunk Enterprise defines a limit on concurrently running searches for the user and power roles by default. After you install Enterprise Security, review the limits for roles and change as desired. On the Enterprise Security menu bar, open to Configure > General and select General Settings.

Item Description
Search Disk Quota (admin) The maximum disk space (MB) a user assigned the admin role can use to store search job results.
Search Jobs Quota (admin) The maximum number of concurrent searches for users assigned the admin role.
Search Jobs Quota (power) The maximum number of concurrent searches for users assigned the power role.

To change the limits for roles other then admin and power, update the default search quota by editing the authorize.conf file. For an example, see the authorize.conf.example in the Splunk Enterprise Admin manual.

Configure the roles to search multiple indexes

Data sources being ingested by Splunk Enterprise are stored in multiple indexes. Distributing data into multiple indexes allow for role based access control and varying retention policies for data sources.

Splunk configures all roles to search only in the main index by default. To enable the searching of multiple indexes, manually assign any indexes that contain relevant security data to each ES role. To access the Role management page, on the Splunk Enterprise menu bar open Settings > Access Controls and select Roles. If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update and display results.

Note: When adding indexes to a role, do not include summary indexes as this can cause a search and summary index loop.

For more information on the reasons for multiple indexes, see Why have multiple indexes? in the Managing Indexers and Clusters of Indexers manual.

Last modified on 27 March, 2017
Configure and deploy indexes
Configure data models

This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters