Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Splunk version 2.4.x reached its End of Life on October 1, 2018. Please see the migration information.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

Configure ITSI access controls

Splunk IT Service Intelligence (ITSI) provides three special roles with predefined capabilities. Splunk platform administrators can assign users to these roles to grant an appropriate level of access to specific ITSI functions. The correct role to which you assign a user depends on the specific tasks the user performs inside ITSI.

The table summarizes ITSI roles, inheritance, and capabilities. There is no inheritance of ITSI roles (itoa_user, itoa_analyst, itoa_admin) or ITSI-specific capabilities. ITSI-specific capabilities are assigned directly to each ITSI role.

Role Inherits from role Added capabilities
itoa_user user * read services, KPIs, and entities
* read KPI threshold templates
* read glass tables
* read homeview (service analyzer)
* read deep dives
* read/write/delete deep dives context (drilldown from service analyzer or notable events)
* read correlation search
* read/write/delete event management state (notable events review)
* read/write notable events
* read/execute notable event actions
itoa_analyst user, power * read services, KPIs, and entities
* read KPI threshold templates
* read/write/delete glass tables
* read/write/delete deep dives
* read/write/delete deep dives context
* read/write/delete homeview
* read correlation search
* read/write/delete event management state
* read/write/delete notable events
* read/execute notable event actions
* change notable event status
itoa_admin user, power * configure permissions
* read/write/delete all ITOA objects
* read/write/delete services, KPIs, and entities
* read/write/delete KPI threshold templates
* read/write/delete correlation search
* read/write/delete event management state
* read/write/delete notable events
* read/execute notable event actions
* change notable event status
admin user, power All

Administrators can also add new users and assign those users to custom roles that have specific capabilities and a limited number of allowable searches. For more information, see About configuring role-based user access in the Securing Splunk Enterprise manual.

Note: ITSI role capabilities apply only to shared objects. Users assigned to itoa_user roles can create and manage private service analyzers, glass tables, and deep dives.

ITOA object capabilities

ITOA object capabilities are exposed in $SPLUNK_HOME/etc/apps/SA-ITOA/default/authorize.conf.

You can enable/disable object capabilities for ITSI roles in $SPLUNK_HOME/etc/apps/itsi/local/authorize.conf.

1. Copy the authorize.conf file from the itsi/default directory to the itsi/local directory.

cd $SPLUNK_HOME/etc/apps/itsi/default
cp authorize.conf ../local

2. Edit local/authorize.conf to enable or disable the appropriate capabilities for ITSI-specific roles. To disable a capability in authorize.conf enter the word "disabled" or delete the capability from the file.

For example, the following shows a portion of authorize.conf with read_itsi_glass_table = disabled for role_itoa_user:

## The ITOA user role inherits user role
## This allows users assigned to the itoa_user role to perform all capabilities of a Splunk user
## The itoa_user role can also perform RT search
[role_itoa_user]
importRoles = user

## Core dependent capabilities
rtsearch = enabled

# For event management
edit_token_http = enabled

## ITSI specific/controlled capabilities

# Glass Table
read_itsi_glass_table = disabled

# Deep Dive
read_itsi_deep_dive = enabled
read_itsi_deep_dive_context = enabled
write_itsi_deep_dive_context = enabled
delete_itsi_deep_dive_context = enabled

# Service
read_itsi_service = enabled

Note: A write capability implies create and update. Delete is its own capability. A role which has a "service" capability has analogous capabilities for the "KPI" and "entity" type objects.

List of capabilities

SA-ITOA Object type Capability name Capability description
RBAC Perms Config configure_perms Ability to configure Role Based Access Control on shared service analyzers, deep dives, and glass tables.
Service/KPIs/Entity read_itsi_service *Ability to read service-based information in Service Analyzer.
* Ability to pull in service based information on a glass tables/deep dive.
* Listing of services and entities in their lister pages.
write_itsi_service * Abiity to create a service.
* Abiity to create a KPI.
* Ability to create an entity.
* Ability to bulk import entities/service via CSV file or via search and set dependencies.
delete_itsi_services Ability to delete a service/KPI/entity.
KPIs Temporary (KPIs with time policies enabled) read_itsi_temporary_kpi Ability to read a KPI with time policy.
write_itsi_temporary_kpi Ability to create a KPI with time policy.
delete_itsi_temporary_kpi Ability to delete a KPI with time policy.
KPI Threshold Templates read_itsi_kpi_threshold_template Ability to read KPI Thresholding Template types.
write_itsi_kpi_threshold_template Ability to write a custom KPI threshold template type object.
delete_itsi_kpi_threshold_template Ability to delete a KPI threshold template type object.
Backup/Restore read_itsi_backup_restore Ability to read backup/restore page.
write_itsi_backup_restore Ability to create a backup/restore job.
delete_itsi_backup_restore Ability to delete a backup/restore job.
Glass Table read_itsi_glass_table Ability to view shared glass tables.
write_itsi_glass_table Ability to create a shared glass table.
delete_itsi_glass_table Ability to delete a shared glass table.
interact_with_itsi_glass_table Ability to drilldown and interact with glass tables. Not enforced in ITSI version 2.2.0.
Deep Dive read_itsi_deep_dive Ability to view a shared deep dives.
write_itsi_deep_dive * Ability to create a shared deep dive.
* Ability to create a shared deep dive as a clone from a private deep dive.
delete_itsi_deep_dive Ability to delete a shared deep dive.
interact_with_itsi_deep_dives Ability to drilldown and interact with deep dives. Not enforced in ITSI version 2.2.0.
read_itsi_deep_dive_context Ability to drill down to an automatically generated (unnamed) deep dive object.
write_itsi_deep_dive_context Ability to drill down to an automatically generated (unnamed) deep dive object for the first time.
delete_itsi_deep_dive_context Ability to delete an automatically generated (unnamed) deep dive object.
interact_with_itsi_deep_dives_context Ability to drilldown and interact in deep dives context. Not enforced in ITSI version 2.2.0.
Home View (service analyzer) read_itsi_homeview Ability to read service analyzer type object. Triggered on opening the Service Analyzer page (or the ITSI app).
write_itsi_homeview Ability to write a service analyzer type object. Triggered on opening the Service Analyzer page (or the ITSI app) for the first time.
delete_itsi_homeview Ability to delete a service analyzer type object. Never triggered.
interact_with_itsi_homeview Ability to drilldown and interact with service analyzer. Not enforced in ITSI version 2.2.0.
Correlation Search read-correlation_search Ability to read correlation searches.
write-correlation_search Ability to write a correlation search.
delete-correlation_search Ability to delete a correlation search.
Event Management State read_itsi_event_management_state Ability to read notable events review dashboard.
write_itsi_event_management_state Ability to write notable events review dashboard.
delete_itsi_event_management_state Ability to delete notable events review dashboard.
Notable Event read-notable_event Ability to read a notable event.
write-notable_event Ability to modify a notable event on index. Requires delete_by_keyword and edit_token_http capabilities to be enabled.
delete-notable_event Ability to delete a notable event.
Notable Event Aggregation Policy read-notable_event_aggregation_policy Ability to read a notable event aggregation policy.
write-notable_event_aggregation_policy Ability to write a notable aggregation policy.
delete-notable_event_aggregation_policy Ability to delete a notable event aggregation policy.
Notable Event actions read-notable_event_action Ability to read a notable event action.
execute-notable_event_action Ability to run a notable event action.
Notable Event Status Transition (change status field in notable events review)

Status: 0-Unassigned, 1-New, 2-InProgress, 3-Pending, 4-Resolved, 5-Closed

transition_status-0_to_1-notable event Ability to change status of 0-Unassigned notable event to 1-New.
transition_status-0_to_2-notable_event Ability to change status of 0-Unassigned notable event to 2-InProgress.
transition_status-0_to_3-notable_event Ability to change status of 0-Unassigned notable event to 3-Pending.
transition_status-0_to_4-notable_event Ability to change status of 0-Unassigned notable event to 4-Resolved.
transition_status-0_to_5-notable_event Ability to change status of 0-Unassigned notable event to 5-Closed.
Note: The above is a partial list of Notable Event Transition Status capabilities. For a complete list, see $SPLUNK_HOME/etc/apps/SA-ITOA/default/authorize.conf
Maintenance services capabilities read-maintenance_calendar Ability to read a maintenance calendar.
write-maintenance_calendar Ability to write a maintenance calendar.
delete-maintenance_calendar Ability to delete a maintenance calendar.

Set permissions to shared ITOA objects

You can set permissions in the UI for ITSI roles to three ITOA object types: Service Analyzers, Glass Tables, and Deep Dives. This applies to shared objects only. To set permissions to a private object, you must clone and save the object with Shared in App permissions.

Before a user can configure permissions for shared ITOA objects in the UI, the user's role must be assigned the configure_perms capability. By default, only itoa_admin is assigned the configure_perms capability.

To set permissions to shared ITOA objects:

  1. In the viewer page for the object type (service analyzers, glass tables, or deep dives), click Permissions for the specific object.
  2. Assign read/write permissions to ITSI roles (itoa_admin, itoa_analyst, and itoa_user) for the object.
    Edit permissions.png
  3. Click Save.

Set bulk permissions to shared ITOA objects

You can set bulk read/write permissions to multiple shared ITOA objects.

  1. In the viewer page for the object type (service analyzers, glass tables, or deep dives), select the specific objects that you want to assign permissions.
  2. In the Bulk Actions menu, select Edit Permissions.
  3. Assign read/write permissions to ITSI roles for the objects.

Note: The bulk permissions modal does not show the existing permissions on specific objects. To view existing permissions, click Edit Permissions for the specific object.

Set permissions to shared ITOA objects for new roles

If you create a new role, before you can set permissions to ITOA objects for the new role, you must assign the role proper capabilities, in addition to proper view level and KV store collection level access.

For example, if you want to assign a new role write permissions to a deep dive object, that new role must first be assigned the write_deep_dives capability. The new role must also have write access to the saved_deep_dives_lister view, and write access to the itsi_pages collection.

Set permissions to KV store collections

SA-ITOA includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles.

The table shows default permissions to KV store collections for ITSI roles. By default, only itoa_admin has read/write access to all ITSI KV store collections.

Collection name itoa_admin itoa_analyst itoa_user
itsi_services read/write read read
itsi_pages read/write read/write read
itsi_service_analyzer read/write read/write read/write
itsi_migration read/write read read
itsi_notable_event_tag read/write/delete read/write/delete read
itsi_notable_event_comment read/write/delete read/write read/write
itsi_notable_event_aggregation_policy read/write/delete / /
itsi_notable_event_ticketing read/write/delete read/write/delete read
itisi_event_management read/write/delete read/write/delete read/write/delete
maintenance_calendar read/write/delete read read
operative_maintenance_log read/write/delete read read
itsi_backup_restore_queue read/write/delete / /
itsi_user_realnames read/write/delete / /
itsi_notable_event_group read/write/delete read/write/delete read/write/delete

Set permissions to KV store collections in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App Context to SA-ITOA. Set Owner to Any.
  3. Select the check box to Show only objects created in this app context. This narrows down the page view to SA-ITOA objects only.
  4. In the Sharing column, click Permissions for the specific collection.
  5. Select the check boxes to grant read and/or write permissions to the various collections for ITSI roles. Click Save.

This updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.

Set permissions to KV store collections from the command line

  1. Create a local.meta file in the SA-ITOA/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata
    cp default.meta local.meta
    
  2. Edit SA-ITOA/metadata/local.meta
  3. Set access for specific roles in local.meta. For example:
    [collections/itsi_services]
    access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]
    

Set permissions to ITSI views

ITSI includes default entries in itsi/metadata/default.meta that determine access for ITSI roles to specific ITSI views. By default, only itoa_admin has read/write access to all ITSI views.

Set permissions to ITSI views in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App Context to IT Service Intelligence (itsi). Set the Owner to Any.
  3. Select the check box to Show only objects created in this app context. This narrows down the page view to ITSI objects only.
  4. In the Sharing column, click Permissions for the specific view.
  5. Select the check boxes to grant read and/or write permissions for ITSI roles. Click Save.

This updates the access permissions to ITSI views for ITSI roles in $SPLUNK_HOME/etc/apps/itsi/metadata/local.meta.

Set permissions to ITSI views from the command line

  1. Create a local.meta file in the itsi/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/itsi/metadata
    cp default.meta local.meta
    
  2. Edit itsi/metadata/local.meta.
  3. Set access for specific roles in local.meta. For example:
    [views/glass_tables_lister]
    access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [itoa_admin]
    
PREVIOUS
Enable anomaly detection
  NEXT
Backup and restore ITSI data

This documentation applies to the following versions of Splunk® IT Service Intelligence: 2.4.0, 2.4.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters