Configure users and roles in Splunk Enterprise Security
Splunk Enterprise Security uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.
Splunk Enterprise Security relies on the admin user to run saved searches. If you plan to delete the admin user, update knowledge objects owned by that user before you do.
There are scenarios where it is still possible for an authenticated user to interact with certain core resources outside the control of Splunk Enterprise Security, which can result in a lack of auditability. Make sure that all users with access to Splunk Enterprise Security are trusted users, who have access to related data, such as findings and investigations.
Configuring user roles
Splunk Enterprise Security adds three roles to the default roles provided by Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in Splunk Enterprise Security based on a user's access requirements. The Splunk platform administrator can assign groups of users to the roles that best fit the tasks the users will perform and manage in Splunk Enterprise Security.
The following table describes the three categories of users:
User | Description | Splunk Enterprise Security role |
---|---|---|
Security director | Seeks to understand the current security posture of the organization by reviewing primarily the Security Posture, Protection Centers, and Audit dashboards. A security director does not configure the product or manage incidents. | ess_user
|
Security analyst | Uses the Security Posture dashboard and the Mission Control page to manage and investigate security findings. Security analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security threat. They also define the thresholds used by detections and dashboards. A security analyst must be able to edit findings. | ess_analyst
|
Solution administrator | Installs and maintains Splunk platform installations and Splunk apps. This user is responsible for configuring workflows, adding new data sources, and tuning and troubleshooting the application. | admin or sc_admin
|
Each Splunk Enterprise Security custom role inherits from Splunk platform roles and adds capabilities specific to Splunk Enterprise Security. Not all of the three roles custom to Splunk Enterprise Security can be assigned to users.
The following table describes the roles and capabilities specific to Splunk Enterprise Security:
Splunk Enterprise Security role | Inherits from Splunk platform role | Added Splunk Enterprise Security capabilities | Can be assigned to users |
---|---|---|---|
ess_user |
user | Real-time search, list search head clustering, edit Splunk eventtypes in the threat Intelligence supporting add-on, manage suppressions of findings. | Yes. Replaces the user role for Splunk Enterprise Security users.
|
ess_analyst |
user, ess_user, power | Inherits ess_user and adds the capabilities to create, edit, and own findings and perform all transitions, and create and modify investigations. |
Yes. Replaces the power role for Splunk Enterprise Security users.
|
ess_admin |
user, ess_user, power, ess_analyst | Inherits ess_analyst and adds several other capabilities. |
No. You must use a Splunk platform admin role to administer a Splunk Enterprise Security installation. The |
See the capabilities specific to Splunk Enterprise Security for more details about which capabilities are assigned to which roles by default.
The Splunk platform admin
role inherits all unique Splunk Enterprise Security capabilities. In a Splunk Cloud Platform deployment, the Splunk platform admin role is named sc_admin
. Use the admin
or sc_admin
role to administer a Splunk Enterprise Security installation.
Splunk platform role | Inherits from role | Added capabilities | Accepts user assignment |
---|---|---|---|
admin |
user, ess_user, power, ess_analyst, ess_admin | All | Yes. |
sc_admin |
user, ess_user, power, ess_analyst, ess_admin | All | Yes. |
Splunk Enterprise Security expects that a user with the name and role of admin
exists. If Splunk Enterprise Security is installed on an on-premises Splunk Enterprise instance where the admin user's name is changed during the initial installation, then the scheduled searches included with Splunk Enterprise Security are orphaned, disabled, and an error message prompts you to reassign them.
Role inheritance
All role inheritance is preconfigured in Splunk Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes.
Manage capabilities for a role
Capabilities control the level of access that roles have to various features in Splunk Enterprise Security. Use the Roles and capabilities page in Splunk Enterprise Security to review and change the capabilities assigned to a role.
- On the Splunk Enterprise Security menu bar, select Configure.
- Select All configurations and then select Roles and capabilities.
- Select and deselect the check boxes to add and remove capabilities to a role. For example, select the ess_user check box for Edit saved views to allow users to edit saved views in the analyst queue.
- Select Save.
Manage permissions for custom roles in Splunk Enterprise Security
Follow these steps if you created a custom role for Splunk Enterprise Security and you want to manage it in the general permissions along with the default Splunk Enterprise Security components:
- On the Splunk Enterprise menu bar, select Settings.
- Select Data and then select Data inputs.
- Select App permissions manager.
- Select enforce_es_permissions.
- Add your custom role to the comma separated list of roles to be managed.
- Select Save.
Now you can manage the role in the general permissions.
Capabilities specific to Splunk Enterprise Security
Splunk Enterprise Security uses custom capabilities to control access to specific features. However, if you see list_inputs
, this is a base capability that should not be removed.
Add custom roles in Splunk Enterprise Security
Add custom roles to the permissions page in Splunk Enterprise Security so that you can update access control lists (ACLs) for those custom roles.
If you add capabilities to custom roles or existing roles on the Splunk Platform Settings page, you must update the ACLs.
Follow these steps to add custom roles on the permissions page in Splunk Enterprise Security:
- In Splunk platform, go to Settings.
- Select Data and then select Data inputs.
- Select App Permissions Manager and then select enforce_es_permissions.
- In the Managed Roles field, add the new custom roles as a comma separated list.
- Select Save.
The custom roles that you add are populated in the Permissions Manager page of Splunk Enterprise Security within 60 seconds so that you can enable specific ACLs. If you only add role-based capabilities to the role and don't add the ACLs, the ACLs don't get updated. This applies to both custom roles and existing roles such as ess_analyst
. For example: If you add the edit_correlationsearches
capability to the existing ess_analyst
role, an error message is displayed when a user with the ess_analyst
role attempts to save edits to a detection because detections do not have the ess_analyst
role included in their "write" ACLs.
Capabilities are defined in the authorize.conf
configuration file for Enterprise Security.
Function in Splunk Enterprise Security | Description | Capability | ess_user | ess_analyst | ess_admin |
---|---|---|---|---|---|
Configure access to saved views for users and analysts | Allows a Splunk Enterprise Security administrator to configure specific views for analysts based on their roles in the organization. Also allows users and analysts to see the saved views that are available to them. | edit_filter_sets | X | X | |
Access data from Splunk UBA | Access data from Splunk Enterprise to Splunk UBA. | edit_uba_settings | X | ||
Adaptive response relay and associated KVStore collection | Write the Common Action Model (CAM) queue. See Configure adaptive response action relays in Splunk Enterprise Security. | edit_cam_queue | X | ||
Configuration checks | Allows you to run configuration checks. | edit_modinput_configuration_check | X | ||
Create new findings | Create ad-hoc findings from search results. See Configure findings manually to track specific fields in Splunk Enterprise Security. | edit_notable_events | X | X | |
Credential Manager | Manage credentials and certificates for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page. See Manage credentials in Splunk Enterprise Security. | admin_all_objects list_storage_passwords list_app_certs edit_app_certs delete_app_certs |
X | ||
Data migrations | Allows you to perform one-time data migrations. | edit_modinput_data_migrator | X | ||
Edit the Data Model Acceleration (DMA) modular input |
Identify who can edit the Data Model Acceleration modular input. DMA is turned on for the required data models using a modular input by default. |
edit_modinput_dm_accel_settings | X | ||
Edit specific modinputs | Make changes to edit the modular name by using the "whois" feature. | edit_modinput_whois | X | ||
Edit advanced search schedule settings | Edit the schedule priority and schedule window of detections. | edit_search_schedule_priority edit_search_schedule_window |
X | ||
Edit detections | Edit detections. Users with this capability can also export content from Content Management as an app. See Export content as an app from Splunk Enterprise Security. | edit_correlationsearches schedule_search |
X | ||
Edit Distributed Configuration Management | Use distributed configuration management. See Deploy add-ons included with Splunk Enterprise Security. | edit_modinput_es_deployment_manager | X | ||
Edit Splunk Enterprise Security navigation | Make changes to the Splunk Enterprise Security navigation. See Customize the menu bar in Splunk Enterprise Security. | edit_es_navigation | X | ||
Edit identity lookup configuration | Manage asset and Identity lookup configurations. See Add asset and identity data to Splunk Enterprise Security, Enable asset and identity correlation in Splunk Enterprise Security, and Manage assets and identities in Splunk Enterprise Security. | edit_modinput_identity_manager | X | ||
Edit the settings for the analyst queue | Make changes to the analyst queue settings. See Configure the settings for the analyst queue in Splunk Enterprise Security. | edit_log_review_settings | X | ||
Edit lookups | Create and make changes to lookup table files. See Create and manage lookups in Splunk Enterprise Security. | edit_lookups, edit_managed_configurations | X | ||
Edit statuses | Make changes to the status of a finding or an investigation. See Change the status of a finding or an investigation in Splunk Enterprise Security. | edit_reviewstatuses | X | ||
Edit suppressions for findings | Edit Splunk eventtypes in the Threat Intelligence supporting add-on, and create and edit suppressions for findings. See Create suppression rules for findings in Splunk Enterprise Security. The |
edit_suppressions | X | ||
Edit findings | Make changes to findings, such as assigning them and transition them between statuses. Statuses for Splunk Enterprise Security investigations are stored in the reviewstatuses.conf file. See Manage analyst workflows using the analyst queue in Splunk Enterprise Security. | edit_notable_events | X | X | |
Edit per-panel filters | Permits the role to update per-panel filters on dashboards. See Configure per-panel filtering in Splunk Enterprise Security. | edit_per_panel_filters | X | ||
Edit app permissions manager | Allows you to edit app permissions manager. Required for essinstall. | edit_modinput_app_permissions_manager | X | ||
Edit intelligence downloads | Change intelligence download settings. | edit_modinput_threatlist | X | ||
Edit risk factors | Change risk factor settings. See Create risk factors to adjust risk scores in Splunk Enterprise Security. | edit_risk_factors | X | ||
Edit threat intelligence collections | Upload threat intelligence and perform CRUD operations on threat intelligence collections using the REST API. | edit_threat_intel_collections | X | ||
Import content | Allows you to import content from installed applications. | edit_modinput_ess_content_importer | X | ||
Migrate detections | (Internal) Used by the background script to migrate detections. | migrate_correlationsearches | X | ||
Manage configurations | Make changes to the general settings or the list of editable lookups. See Configure general settings for Splunk Enterprise Security. | edit_managed_configurations | X | ||
Manage all investigations | Allows the role to view and make changes to all investigations. See Managing access to investigations in Splunk Enterprise Security. | manage_all_investigations | X | ||
Manage analytics stories | Allows the role to make changes to analytics stories. See Manage analytics stories in Splunk Enterprise Security | edit_analyticstories | X | X | |
Manage your investigations | Create and edit investigations. Roles with this capability can make changes to investigations on which they are a collaborator. See Collaborate on investigations in Splunk Enterprise Security. | edit_timeline | X | X | |
Own findings | Allows the role to be an owner of findings. | can_own_notable_events | X | X | |
Search-driven lookups | Create lookup tables that can be populated by a search. See Create search-driven lookups in Splunk Enterprise Security. | edit_managed_configurations schedule_search |
X | ||
Update app imports | Allows you to update app imports with all apps matching a given regular expression. | edit_modinput_app_imports_update | X
|
Adjust the concurrent searches for a role
Splunk platform defines a limit on concurrently running searches for the user
and power
roles by default. You may want to change those concurrent searches for some roles.
- In Splunk Enterprise Security, select Configure.
- Select General and then select General settings.
- Review the limits for roles and change them as desired.
Item | Description |
---|---|
Search disk quota (admin) | The maximum disk space (MB) a user with the admin role can use to store search job results. |
Search jobs quota (admin) | The maximum number of concurrent searches for users with the admin role. |
Search jobs quota (power) | The maximum number of concurrent searches for users with the power role. |
To change the limits for roles other then admin
and power
, edit the authorize.conf
file to update the default search quota. See the authorize.conf.example in the Splunk Enterprise Admin manual.
Configure the roles to search multiple indexes
The Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. The Splunk platform configures all roles to search only the main
index by default.
To allow roles in Splunk Enterprise Security to search additional indexes, assign the indexes that contain relevant security data to the relevant roles.
- In the Splunk Platform, select Settings.
- Select Access controls and then select Roles.
- Select the role name that you want to allow to search additional indexes.
- Select the desired Indexes searched by default and Indexes that this role can search. Do not include summary indexes, as this can cause a search and summary index loop.
- Save your changes.
- Repeat for additional roles as needed.
If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update or display results.
Configure permissions for Machine Learning Toolkit SPL commands
No new capabilities are added to ES for using MLTK. To restrict permissions for MLTK SPL commands, see Change permissions in default.meta.conf in the Splunk Machine Learning Toolkit User Guide.
See also
For more information about roles, see the product documentation:
- For Splunk Enterprise, see Add and edit roles in Securing Splunk Enterprise.
- For Splunk Cloud Platform, see Manage Splunk Cloud Platform roles in Splunk Cloud Platform Admin Manual.
For more information on reassigning knowledge objects, see the product documentation:
- For Splunk Enterprise, see Reassign one or more shared knowledge objects to a new owner in the Knowledge Manager Manual.
- For Splunk Cloud Platform, see Reassign one or more shared knowledge objects to a new owner in the Knowledge Manager Manual.
For more information about working with roles, see the product documentation.
- For Splunk Enterprise, see About configuring role-based user access in the Securing Splunk Enterprise manual.
- For Splunk Cloud Platform, see Manage Splunk Cloud Platform users and roles in the Splunk Cloud Platform Admin Manual.
For more information on the need for multiple indexes, see the product documentation:Why have multiple indexes? in Splunk Enterprise Managing Indexers and Clusters of Indexers.
For more information on managing credentials, see the product documentation:
Configure and deploy indexes for Splunk Enterprise Security | Configure data models for Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!