Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Configure users and roles

Splunk Enterprise Security uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.

Authentication methods

The Splunk platform supports several methods of user authentication. Splunk platform built-in user authentication takes precedence over any configured external authentication. See About user authentication in Securing Splunk Enterprise.

Configuring user roles

Splunk Enterprise Security adds three roles to the default roles provided by Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in ES based on a user's access requirements. The Splunk platform administrator can assign groups of users to the roles that best fit the tasks the users will perform and manage in Splunk Enterprise Security. There are three categories of users.

User Description Splunk ES role
Security Director Seeks to understand the current security posture of the organization by reviewing primarily the Security Posture, Protection Centers, and Audit dashboards. A security director does not configure the product or manage incidents. ess_user
Security Analyst Uses the Security Posture and Incident Review dashboards to manage and investigate security incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions. ess_analyst
Solution Administrator Installs and maintains Splunk platform installations and Splunk Apps. This user is responsible for configuring workflows, adding new data sources, and tuning and troubleshooting the application. admin or sc_admin

Each Splunk Enterprise Security custom role inherits from Splunk platform roles and adds capabilities specific to Splunk ES. Not all of the three roles custom to Splunk ES can be assigned to users.

Splunk ES role Inherits from Splunk platform role Added Splunk ES capabilities Can be assigned to users
ess_user user real-time search Yes. Replaces the user role for ES users.
ess_analyst user, ess_user, power Inherits ess_user and adds: create, edit, and own notable events and perform all transitions Yes. Replaces the power role for ES users.
ess_admin user, ess_user, power, ess_analyst inherits ess_analyst and adds: edit correlation searches and edit review statuses No. You must use a Splunk platform admin role to administer an Enterprise Security installation.

The Splunk platform admin role inherits all unique ES capabilities. In a Splunk Cloud deployment, the Splunk platform admin role is named sc_admin. Use the admin or sc_admin role to administer an Enterprise Security installation.

Splunk platform role Inherits from role Added capabilities Accepts user assignment
admin user, ess_user, power, ess_analyst, ess_admin All Yes.
sc_admin user, ess_user, power, ess_analyst, ess_admin All Yes.

Role inheritance

All role inheritance is preconfigured in Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see Add and edit roles and Securing Splunk in Securing Splunk Enterprise.

Add capabilities to a role

Capabilities control the level of access that roles have to various features in Splunk Enterprise Security. Use the Permissions page in Enterprise Security to review and change the capabilities assigned to a role.

  1. On the Splunk Enterprise Security menu bar, select Configure > General > Permissions.
  2. Find the role you want to update.
  3. Find the ES Component you want to add.
  4. Select the check box for the component for the role.
  5. Save.

Capabilities specific to Splunk Enterprise Security

Splunk Enterprise Security uses custom capabilities to control access to ES-specific features.

Add capabilities on the permissions page in Splunk Enterprise Security to make sure that the proper access control lists (ACLs) are updated. The permissions page makes the ACL changes for you. If you add these custom capabilities on the Splunk platform settings page, you must update the ACLs yourself.

Function in Splunk ES Description Capability
Create new notable events Create ad-hoc notable events from search results. See Manually create a notable event. edit_tcp
edit_notable_events
Edit correlation searches Edit correlation searches on Content Management. See Configuring correlation searches. edit_correlationsearches
schedule_search
Edit Distributed Configuration Management Use distributed configuration management. See Determine which add-ons to deploy on indexers.
Edit ES navigation Make changes to the Enterprise Security navigation. See Navigation. edit_es_navigation
Edit glass tables Create and modify glass tables. See Create a glass table. edit_glasstable
Edit identity lookup configuration Manage the configuration of identity lookups and restrict asset and identity correlation. See Add asset and identity data to Splunk Enterprise Security and Configure asset and identity correlation in Splunk Enterprise Security. edit_identitylookup
Edit Incident Review Make changes to Incident Review settings. See Customize Incident Review. edit_log_review_settings
Edit lookups Make changes to lookup table files. See Edit lists and lookups. edit_lookups
Edit notable event statuses Make changes to the statuses available to select for notable events. See Managing and monitoring notable event statuses. edit_tcp
edit_notable_events
transition_reviewstatus-X to Y
Edit notable event suppressions Create and edit notable event suppressions. See Create and manage notable event suppressions. edit_suppressions
Edit notable events Make changes to notable events, such as assigning them. See Triage notable events on the Incident Review dashboard. edit_notable_events
edit_tcp
Edit per-panel filters Create and manage per-panel filters for dashboards. See Advanced Filter. edit_per_panel_filters
Edit threat intelligence Create and modify threat intelligence download settings. See Threat Intelligence Download Settings. edit_modinput_threatlist
Edit timelines Create and edit investigation timelines. Only roles with this capability can make changes to investigation timelines. See Investigation timelines. edit_timelines
Manage configurations Make changes to the general settings or the list of editable lookups. See General Settings. edit_managed_configurations
Own notable events Allows the role to be an owner of notable events. See Notable Events. can_own_notable_events
Search-driven lookups Create lookup tables that can be populated by a search. See Search-driven lookups. edit_managed_configurations
schedule_search
Export content Export content from Content Management as an app. See Export content as an app from Splunk Enterprise Security. edit_correlationsearches
Credential Manager Manage credentials for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page. admin_all_objects

Adjust the concurrent searches for a role

Splunk platform defines a limit on concurrently running searches for the user and power roles by default. You may want to change those concurrent searches for some roles.

  1. On the Splunk Enterprise Security menu bar, select Configure > General > General Settings.
  2. Review the limits for roles and change them as desired.
Item Description
Search Disk Quota (admin) The maximum disk space (MB) a user with the admin role can use to store search job results.
Search Jobs Quota (admin) The maximum number of concurrent searches for users with the admin role.
Search Jobs Quota (power) The maximum number of concurrent searches for users with the power role.

To change the limits for roles other then admin and power, edit the authorize.conf file to update the default search quota. See the authorize.conf.example in the Admin manual.

Configure the roles to search multiple indexes

Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. Splunk platform configures all roles to search only the main index by default. See About configuring role-based user access

To allow roles in Splunk Enterprise Security to search additional indexes, assign the indexes that contain relevant security data to the relevant roles.

  1. Select Settings > Access Controls.
  2. Click Roles.
  3. Click the role name that you want to allow to search additional indexes.
  4. Select the desired Indexes searched by default and Indexes that this role can search. Do not include summary indexes, as this can cause a search and summary index loop.
  5. Save your changes.
  6. Repeat for additional roles as needed.

If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update or display results.

For more information on the reasons for multiple indexes, see Why have multiple indexes? in Managing Indexers and Clusters of Indexers.

PREVIOUS
Configure and deploy indexes
  NEXT
Configure data models

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters