Implement service-level permissions in ITSI
This topic is an overview of the steps to implement service-level permissions in ITSI.
Read ITSI Service-level permissions and decide if you have a need to implement service-level permissions for your organization.
If you do not need to implement service-level permissions, there is no need to create roles based on the itoa_team_admin role that is delivered for the purpose of administering teams. You do not need to create any additional teams. Create all services, entities, and KPI base searches in the default Global team. If you upgrade from a previous version, all services and other service-related objects already exist in the Global team by default.
Determine the teams you need to create in ITSI. You can create teams for technology areas or for different departments within your organization. Create a team for every area that needs a separate view of ITSI service-level data or that needs to be administered independently within ITSI.
Implement service-level permissions
- Create team admin roles to administer each team and assign users to those roles.
- Create the teams and assign read/write permissions to the team admin roles you created.
- Create entities and common services in the Global team.
- Team admins create the services they need in their assigned teams.
Create roles to administer your teams
After you determine the teams you are going to create in ITSI, create roles to administer the services in each team.
Create a role in the Splunk platform for each ITSI team admin and configure the roles to inherit from the itoa_team_admin role in order to obtain the appropriate capabilities. Then assign users to each team admin role you created.
For example, the Splunk admin creates an itoa_finance_admin role that inherits from the itoa_team_admin role for the administrator of the Finance team. The Splunk admin then assigns the Finance team administrator to the itoa_finance_admin role.
Likewise, create custom roles for the ITSI analysts and users in each team. This allows you to differentiate when assigning permissions to teams. For example, create an itoa_finance_analyst role that inherits from the itoa_analyst role for the analysts in the Finance department. Create an itoa_finance_user role that inherits from the itoa_user role for the users in the Finance department. You can then assign permissions to the Finance team for the itoa_finance_analyst and itoa_finance_user roles without allowing access to analysts and users from other departments.
You must configure the itoa_admin role to inherit from the custom roles you create. Otherwise, the itoa_admin role cannot assign permissions to the custom roles. Alternatively, use the admin role to assign permissions.
Splunk Cloud administrators (using the sc_admin role) need to request Splunk Support to create the custom roles needed for teams.
For information about the itoa_team_admin role's capabilities, see Configure ITSI access controls. For information about creating custom roles, see About configuring role-based user access in the Securing Splunk Enterprise manual.
After you create team admin roles and assign users to the roles, you're ready to create the teams. Only users with the itoa_admin role can create a team.
When you create a team, assign read/write access to the team admin role you created for the team. For example, if you create a team called Finance, assign read/write permissions to the itoa_finance_admin role. To create a team, Select Configure > Teams > New Team from the top menu bar in ITSI. See Create teams in this manual for more information.
Create entities and common services in the Global team
The ITSI administrator creates all entities in the Global team. The ITSI administrator also creates any common services or services that other teams may have a dependency on in the Global team. See Create ITSI Services for information.
By default, only the itoa_admin role has read/write access to the Global team. A user with the itoa_admin role can give write access to the Global team to other ITSI roles. If you want team admins to be able to create and modify objects in the Global team, assign these roles write permission on the Global team.
Upgrading from a previous version of ITSI
If you have upgraded ITSI from a previous version that did not contain service-level permissions, all of the existing services and service related objects like entities and KPI base searches are contained in the Global team by default. After creating private teams, you can move any existing services from the Global team to other teams as necessary. See Move a service to another team for information.
Create services as a team admin
After creating teams, the team admins that are assigned read/write permissions can create services within their teams. When creating a service, a team admin can assign it to any team for which they have read/write access. ITSI admins (itoa_admin role) can also create services in private teams.
Team admins can access all of the KPI base searches, KPI templates, and entities in the Global team when creating services in their private teams. Team admins can also create dependencies on services in the Global team or within the same team. Service dependencies cannot be created between services in different private teams. See Create ITSI Services for more information.
Team admins (users with a role that inherits from the itoa_team_admin role) cannot do bulk imports of services and entities.
Overview of service-level permissions in ITSI
Create teams in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.5