Configure users and roles
Splunk Enterprise Security uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular access control for your organization.
The Splunk platform supports several methods of user authentication:
- The Splunk platform built-in user authentication system.
- User authentication using LDAP and Active Directory. For more information, see Set up user authentication with LDAP.
- Scripted authentication API: Use scripted authentication to tie authentication requests to an external authentication system, such as RADIUS or PAM. For more information, see Set up user authentication with external systems.
- Single Sign-on: For more information, see About Splunk single sign-on.
- Splunk Cloud supports SAML authentication. For more information see Configure single sign-on (SSO) to Splunk Cloud using SAML in the Splunk Cloud User manual.
Important: The Splunk platform built-in user authentication takes precedence over any configured external authentication.
Configure user roles
Splunk Enterprise Security adds three new roles in addition to the default roles provided by the Splunk platform. The new roles allow a splunk administrator to assign access to specific functions in ES based on the users access requirements. The Splunk platform administrator will assign groups of users to the roles that best fit the tasks the users will perform and manage within Enterprise Security. There are three categories of users:
- Security Director: Reviews the Security Posture, Protection Centers, and Audit dashboards in order to understand current Security Posture of the organization. A security director will not configure the product or manage incidents.
- Security Analyst: Uses the Security Posture and Incident Review dashboards to manage and investigate Security Incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They will also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions.
- Solution Administrator: Installs and maintains Splunk platform installations and Splunk Apps. This user is responsible for configuring workflows, on-boarding new data sources, and tuning and troubleshooting the application.
Each user type requires different levels of access to perform their assigned functions. The table below shows which roles in Enterprise Security are suitable match for a user category.
|Role assignment||Security Director||Security Analyst||Solution Administrator|
Splunk Enterprise Security defines 3 custom roles. Two of the roles are for user assignment, and the
ess_admin role is inherited by the Splunk platform admin role.
|Enterprise Security role||Inherits from role||Added capabilities||Accepts user assignment|
||user||real time search||Yes.|
||user, ess_user, power||inherits
||user, ess_user, power, ess_analyst||inherits
You must use a Splunk platform admin role to administer an Enterprise Security installation.
The Splunk platform
admin role inherits all unique ES capabilities. In a Splunk Cloud deployment, the Splunk platform admin role is named
sc_admin. Use the
sc_admin role to administer an Enterprise Security installation.
|Splunk platform role||Inherits from role||Added capabilities||Accepts user assignment|
||user, ess_user, power, ess_analyst, ess_admin||All||Yes.|
||user, ess_user, power, ess_analyst, ess_admin||All||Yes.|
All role inheritance is preconfigured in Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see Add and edit roles and Securing Splunk in the Securing Splunk Enterprise Manual.
Adding capabilities to a role
Enterprise Security implements custom features on the Splunk platform. To control access to those features, additional capabilities are assigned to the Enterprise Security defined roles. Use the Permissions page in Enterprise Security to review and change the capabilities assigned to a role.
- On the Enterprise Security menu bar, open Configure > General
- Select Permissions.
- Find the role you want to update.
- Find the ES Component you want to add.
- Enable the component for the role.
List of capabilities in ES
|ES Feature||Capability||Set in Permissions UI|
|Create New Notable Events||edit_tcp
|Edit Correlation Searches||edit_correlationsearches
|Edit ES Navigation||edit_es_navigation||Yes|
|Edit Identity Lookup Configuration||edit_identitylookup||Yes|
|Edit Incident Review||edit_log_review_settings||Yes|
|Edit Notable Event Statuses||edit_tcp
transition_reviewstatus-X to Y
|Edit Notable Event Suppressions||edit_suppressions||Yes|
|Edit Notable Events||edit_notable_events
|Edit Per Panel Filters||edit_per_panel_filters||Yes|
|Edit Threat Intelligence||edit_modinput_threatlist||Yes|
|Own Notable Events||can_own_notable_events||Yes|
|Search Driven Lookups||edit_managed_configurations
|Export content||edit_correlationsearches||Yes. Use Edit Correlation Searches.|
Adjust the concurrent searches for a role
Splunk Enterprise defines a limit on concurrently running searches for the
power roles by default. After you install Enterprise Security, review the limits for roles and change as desired. On the Enterprise Security menu bar, open to Configure > General and select General Settings.
|Search Disk Quota (admin)||The maximum disk space (MB) a user assigned the admin role can use to store search job results.|
|Search Jobs Quota (admin)||The maximum number of concurrent searches for users assigned the admin role.|
|Search Jobs Quota (power)||The maximum number of concurrent searches for users assigned the power role.|
To change the limits for roles other then
power, update the default search quota by editing the
authorize.conf file. For an example, see the authorize.conf.example in the Splunk Enterprise Admin manual.
Configure the roles to search multiple indexes
Data sources being ingested by Splunk Enterprise are stored in multiple indexes. Distributing data into multiple indexes allow for role based access control and varying retention policies for data sources.
Splunk configures all roles to search only in the
main index by default. To enable the searching of multiple indexes, manually assign any indexes that contain relevant security data to each ES role. To access the Role management page, on the Splunk Enterprise menu bar open Settings > Access Controls and select Roles. If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update and display results.
Note: When adding indexes to a role, do not include summary indexes as this can cause a search and summary index loop.
For more information on the reasons for multiple indexes, see Why have multiple indexes? in the Managing Indexers and Clusters of Indexers manual.
Configure and deploy indexes
Configure data models
This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only