Configure users and roles in ITSI

Splunk IT Service Intelligence uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.

Never delete the default "admin" user from your Splunk instance. The admin user is necessary for many IT Service Intelligence features, such as notable event grouping in Episode Review. For more information about users, see About user authentication.

Roles in IT Service Intelligence

Splunk IT Service Intelligence (ITSI) provides four special roles with predefined capabilities:

itoa_user

Assign this role to users who need basic read access to ITSI. This role can read services, KPIs, and entities as well as glass tables, service analyzers, and deep dives built by others and can create private glass tables, service analyzers, and deep dives. This role can read notable events and create and delete Episode Review custom views.

itoa_analyst

Assign this role to knowledge managers in your organization who will create glass tables, deep dives, and service analyzers and work with notable events in Episode Review.

itoa_team_admin

Create team admin roles that inherit from this role. Team admins can create and administer services for ITSI teams to which they are assigned read/write access. This role can also create and manage notable event aggregation policies.

itoa_admin

Assign this role to ITSI administrators. Users possessing this role can create teams for team administrators to administer as well as create services, service templates, entities, KPI base searches, and KPI threshold templates in the Global team. This role is required to assign permissions to objects such as glass tables to other ITSI roles. Note that users with the Splunk admin role also have the itoa_admin role.

Splunk Enterprise administrators (users with the admin role) can assign users to these roles to grant an appropriate level of access to specific ITSI functions. The role to which you assign a user depends on the specific tasks the user performs inside ITSI. Splunk Cloud administrators (users with the role, sc_admin) need to request Splunk support to assign users to the ITSI roles.

You can also create custom roles. If your organization is planning to use service-level permissions (teams), you need to create custom roles that inherit from the provided ITSI roles. See Create custom roles for teams for information.

ITSI role capabilities

The following table summarizes ITSI roles, inheritance, and capabilities. ITSI roles inherit from lesser ITSI roles and thus inherit the capabilities of the lesser roles.

*The user_ad_user and metric_ad_admin roles are inherited by ITSI roles for the purposes of using anomaly detection in ITSI. Do not assign these roles to users separately.

ITSI role capabilities apply only to shared objects. Users assigned to the itoa_user role can create and manage private service analyzers, glass tables, and deep dives.

If you have the itoa_admin or itoa_team_admin role (or the capabilities of these roles) you still need write access to the Global team to write and delete global objects (service templates, entities, KPI templates, base searches, and threshold templates).

ITSI indexes

All ITSI-specific roles require access to the following ITSI indexes:

• anomaly_detection
• itsi_grouped_alerts
• itsi_notable_archive
• itsi_notable_audit
• itsi_summary
• itsi_tracked_alerts
• snmptrapd (optional, used only if SNMP traps are collected)

Enable/disable ITSI capabilities for a role

You can enable/disable object capabilities for ITSI roles in $SPLUNK_HOME/etc/apps/itsi/local/authorize.conf.

1. Copy the authorize.conf file from the itsi/default directory to the itsi/local directory. For example:

cd $SPLUNK_HOME/etc/apps/itsi/default
cp authorize.conf ../local

2. Edit local/authorize.conf to enable or disable the appropriate capabilities for ITSI-specific roles. To disable a capability in authorize.conf replace the word "enabled" with "disabled" or delete the capability from the file.

For example, the following shows a portion of authorize.conf with read_itsi_glass_table = disabled for role_itoa_user:

## ITOA User
## The ITOA user role inherits user role
## This allows users assigned to the itoa_user role to perform all capabilities of a Splunk user
## The itoa_user role can also perform RT search
[role_itoa_user]
importRoles = user;user_ad_user

## Core dependent capabilities
list_storage_passwords = enabled
rtsearch = enabled

# For event management
edit_token_http = enabled

## ITSI specific/controlled capabilities

# Glass Table
read_itsi_glass_table = disabled

# Deep Dive
read_itsi_deep_dive = enabled
read_itsi_deep_dive_context = enabled
write_itsi_deep_dive_context = enabled
delete_itsi_deep_dive_context = enabled

Create custom roles for teams

If you decide to create teams in ITSI to segment your service-level data, you need to create custom roles that inherit from the standard ITSI roles to enable you to assign permissions to specific roles that correspond to specific teams. See Service-level permissions for information about service-level permissions and teams.

Create a role in the Splunk platform for each ITSI team admin and configure the roles to inherit from the itoa_team_admin role in order to obtain the appropriate capabilities. Then assign users to each team admin role you created.

For example, the Splunk admin creates an itoa_finance_admin role that inherits from the itoa_team_admin role for the administrator of the Finance team. The Splunk admin then assigns the Finance team administrator to the itoa_finance_admin role.

Likewise, create custom roles for the ITSI analysts and users in each team. This allows you to differentiate when assigning permissions to teams. For example, create an itoa_finance_analyst role that inherits from the itoa_analyst role for the analysts in the Finance department and an itoa_finance_user role that inherits from the itoa_user role for the users in the Finance department. The ITSI admin can then assign permissions to the Finance team for the itoa_finance_analyst and itoa_finance_user roles without allowing access to analysts and users from other departments.

You must configure the itoa_admin role to inherit from the custom roles you create otherwise the itoa_admin role will not be able to assign permissions to the custom roles. Alternatively, use the admin role to assign permissions.

Splunk Cloud administrators need to request Splunk Support to create the custom roles for teams.

For information about creating custom roles, see About configuring role-based user access in the Securing Splunk Enterprise manual.

Create other custom roles

If you create a new role that does not inherit from one of the standard ITSI roles, you need to do four things to ensure the custom role has the appropriate level of access in ITSI:

1. Assign the role proper capabilities.
2. Make sure the role has access to the ITSI indexes.
3. Assign the role proper view level access.
4. Assign the role KV store collection level access.

For example, in order to assign a new role write permissions to a deep dive, that new role must first be assigned the write_deep_dives capability. The new role must also have write access to the saved_deep_dives_lister view, and write access to the itsi_pages collection.

Set permissions to ITSI views

ITSI includes default entries in itsi/metadata/default.meta that determine access for ITSI roles to specific ITSI views. By default, only itoa_admin has read/write access to all ITSI views.

Set permissions to ITSI views in Splunk Web

1. In Splunk Web, go to Settings > All configurations.
2. Set the App Context to IT Service Intelligence (itsi). Set the Owner to Any.
3. Select the check box to Show only objects created in this app context. This narrows down the page view to ITSI objects only.
4. In the Sharing column, click Permissions for the specific view.
5. Select the check boxes to grant read and/or write permissions for ITSI roles. Click Save.

This updates the access permissions to ITSI views for ITSI roles in $SPLUNK_HOME/etc/apps/itsi/metadata/local.meta.

Set permissions to ITSI views from the command line

1. Create a local.meta file in the itsi/metadata/ directory.
   

   cd $SPLUNK_HOME/etc/apps/itsi/metadata
   cp default.meta local.meta
   

2. Edit itsi/metadata/local.meta.
3. Set access for specific roles in local.meta. For example:
   

   [views/glass_tables_lister]
   access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [itoa_admin]
   

Set permissions to KV store collections

SA-ITOA includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions. By default, only itoa_admin has read/write/delete access to all ITSI KV store collections.

Set permissions to KV store collections in Splunk Web

1. In Splunk Web, go to Settings > All configurations.
2. Set the App Context to SA-ITOA. Set Owner to Any.
3. Select the check box to Show only objects created in this app context. This narrows down the page view to SA-ITOA objects only.
4. In the Sharing column, click Permissions for the specific collection.
5. Select the check boxes to grant read and/or write permissions to the various collections for ITSI roles. Click Save.

This updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.

Set permissions to KV store collections from the command line

1. Create a local.meta file in the SA-ITOA/metadata/ directory.
   

   cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata
   cp default.meta local.meta
   

2. Edit SA-ITOA/metadata/local.meta
3. Set access for specific roles in local.meta. For example:
   

   [collections/itsi_services]
   access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]
   

Using service-level permissions in conjunction with other access controls

See Overview of service-level permissions in ITSI for detailed information about service-level permissions and teams.

In addition to the other access control methods provided in ITSI, teams provide a more granular level of access control. Teams let you restrict read/write access to services and the KPIs associated with services within ITSI views such as glass tables, deep dives, and service analyzers.

For example, a user might have permission to view a particular glass table, but if a KPI in that glass table belongs to a service in a team for which the user does not have read permission, the KPI is not displayed. Only the data related to services for which the user has read access are displayed on the glass table.

To prevent users from being confronted with widgets they cannot view in glass tables or lanes they cannot view in deep dives, keep in mind the intended audience when creating a shared glass table or deep dive and create these visualizations for a particular team.

For example, if you are creating a glass table for the Finance team, create a shared glass table that only includes services and KPIs in the Finance team or Global team and assign read/write permissions for the glass table to the Finance team roles. Then users from other teams won't try to access the glass table and get frustrated when they can't view all of the information.