User Roles in ITE Work
uses the access control system integrated with the Splunk platform. The Splunk platform authorization enables you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.
Never delete the default admin
user from your Splunk instance. The admin user is necessary for many IT Service Intelligence features, such as notable event grouping in Episode Review. For more information about users, see About user authentication in the Securing Splunk Enterprise manual.
Overview of ITE Work roles
provides four special roles with predefined capabilities:
Role | Description |
---|---|
itoa_user |
ITSI admin assigns this role to users who need basic read access to ITE Work. |
itoa_analyst |
ITSI admin assigns this role to knowledge managers in your organization who will create glass tables, deep dives, and service analyzers while working with episodes in Episode Review. |
itoa_team_admin |
ITSI admin creates team admin roles that inherit from this role. Team admins can create and administer services, and update objects for teams to which they are assigned read/write access. This role can also create and manage notable event aggregation policies. |
itoa_admin |
This role is reserved for ITSI administrators. Admins create teams for team administrators to administer. They also create objects in the Global team. This role is required to assign access to objects such as glass tables to other ITSI and ITE Work roles. Note that users with the Splunk admin role also have the itoa_admin role.
|
Splunk Enterprise administrators can assign users to these roles to grant an appropriate level of access to specific functions. The role to which you assign a user depends on the specific tasks the user performs, and level of security access that a user requires. Splunk Cloud Platform administrators with the role sc_admin
need to request Splunk support to assign users to the roles.
You can also create custom roles. If your organization is planning to use teams to manage service-level permissions, you need to create custom roles that inherit from the provided roles. See Create custom roles for teams for information.
ITE Work roles and capabilities
The following table summarizes ITE Work roles, inheritance, and capabilities. ITE Work roles inherit from lesser roles and thus inherit the capabilities of the lesser roles.
Role | Inherits from role | Capabilities |
---|---|---|
itoa_user |
user, user_ad_user* |
|
itoa_analyst |
itoa_user, user, power, user_ad_user* | All capabilities of itoa_user plus the following:
|
itoa_team_admin |
itoa_analyst, user, power, metric_ad_admin* | All capabilities of itoa_analyst plus the following:
|
itoa_admin |
itoa_team_admin, user, power, metric_ad_admin* | All capabilities of itoa_team_admin plus the following:
|
admin |
itoa_admin, itoa_analyst, itoa_user, user, power | All |
*The user_ad_user
and metric_ad_admin
roles are inherited by ITSI roles for the purposes of using anomaly detection in ITSI. Do not assign these roles to users separately.
ITE Work role capabilities apply only to shared objects. Users assigned to the itoa_user
role can create and manage private service analyzers, glass tables, and deep dives.
If you have the itoa_admin
or itoa_team_admin
role, or the capabilities of these roles, you need write access to the Global team to write and delete global objects such as service templates, entities, KPI templates, base searches, and threshold templates.
To execute actions as part of the {{PonyDocsProductAbbrev}} ServiceNow or Remedy integrations, all roles that are not admin
roles require access to the list_storage_passwords
and the edit_token_http
capability. Note that this capability enables users to view stored passwords for other applications, which is typically an admin-level capability. Ensure that you provide access only to users with proper security credentials to view stored passwords for other applications. The list_storage_passwords
capability does not provide access to individual user credentials.
Splunk Admin capabilities and Roles
Some roles inherit capabilities that are typically only available to Splunk administration roles.
The following table lists the capabilities and roles that have these capabilities:
Capability | itoa_user | itoa_analyst | itoa_team_admin | itoa_admin |
---|---|---|---|---|
edit_token_http | x | x | x | x |
list_storage_passwords | x | x | ||
list_search_head_clustering | x | x | ||
dispatch_rest_to_indexers | x | x | ||
list_settings | x | |||
edit_monitor | x |
Enable or disable capabilities for a role
You can enable or disable object capabilities for ITE Work roles in authorize.conf.
- Open or create a copy of
authorize.conf
in$SPLUNK_HOME/etc/apps/itsi/local/
directory. - In the local file, enable or disable the appropriate capabilities for ITSI-specific roles. To disable a capability, replace
enabled
withdisabled
or delete the capability from the file.
For example, the following example shows a portion of the authorize.conf
file with read_itsi_glass_table = disabled
for role_itoa_user
:
## ITOA User ## The ITOA user role inherits user role ## This allows users assigned to the itoa_user role to perform all capabilities of a Splunk user ## The itoa_user role can also perform RT search [role_itoa_user] importRoles = user;user_ad_user ## Core dependent capabilities list_storage_passwords = enabled rtsearch = enabled # For event management edit_token_http = enabled ## ITSI specific/controlled capabilities # Glass Table read_itsi_glass_table = disabled # Deep Dive read_itsi_deep_dive = enabled read_itsi_deep_dive_context = enabled write_itsi_deep_dive_context = enabled delete_itsi_deep_dive_context = enabled
Create custom roles for teams
If you decide to create teams to segment your service-level data, you must create custom roles that inherit from the standard ITSI roles. Then you can assign permissions to specific roles that correspond to specific teams. See Implement teams in ITSI for information about service-level permissions and teams.
Create a role in the Splunk platform for each ITE Work team admin and configure the roles to inherit from the itoa_team_admin
role so it has the appropriate capabilities. Then assign users to each team admin role you created.
For example, the Splunk admin creates an itoa_finance_admin
role to administer the Finance team. The role inherits from the itoa_team_admin
. The Splunk admin then assigns the Finance team administrator to the itoa_finance_admin
role.
The Finance team administrator then creates custom roles for the analysts and users on the Finance team. For example, create an itoa_finance_analyst
role that inherits from the itoa_analyst
role for the analysts in the Finance department. Likewise, create an itoa_finance_user
role that inherits from the itoa_user role
for the users in the Finance department.
The team administrator can then assign permissions to the Finance team for the itoa_finance_analyst
and itoa_finance_user
roles without allowing access to analysts and users from other departments.
You must configure the itoa_admin
role to inherit from the custom roles you create, otherwise the itoa_admin
role cannot assign permissions to the custom roles. Alternatively, use the admin role to assign permissions.
Splunk Cloud Platform administrators need to request Splunk Support to create the custom roles for teams.
For information about creating custom roles, see About configuring role-based user access in the Securing Splunk Enterprise manual.
Using teams in conjunction with other access controls
Teams provide a more granular level of access control than the roles provided with ITSI or ITE Work. Teams let you restrict read/write access to services and the KPIs associated with services within ITE Work views such as glass tables, deep dives, and service analyzers.
For example, a user might have permission to view a particular glass table, but if a KPI in that glass table belongs to a service in a team for which the user does not have read permission, the KPI is not displayed. Only the data related to services for which the user has read access are displayed on the glass table.
To prevent users from being confronted with widgets they cannot view in glass tables or lanes they cannot view in deep dives, keep in mind the intended audience when creating a shared glass table or deep dive and create these visualizations for a particular team.
For example, if you are creating a glass table for the Finance team, create a shared glass table that only includes services and KPIs in the Finance team or Global team and assign read/write permissions for the glass table to the Finance team roles. Then users from other teams won't try to access the glass table and get frustrated when they can't view all of the information.
See Overview of teams in ITSI for detailed information about service-level permissions and teams.
About administering Splunk ITE Work | Overview of backing up ITE Work KV store data |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only
Feedback submitted, thanks!