Create a custom role in ITSI
If you create a new role that does not inherit from one of the standard ITSI roles, you need to do four things to ensure the custom role has the appropriate level of access in ITSI:
- Assign the role proper capabilities.
- Grant the role access to ITSI indexes.
- Assign the role proper view-level access.
- Assign the role KV store collection level access.
For example, in order to assign a new role write permissions to a deep dive, that new role must first be assigned the write_deep_dives
capability. The new role must also have write access to the saved_deep_dives_lister
view, and write access to the itsi_pages
collection.
Step 1: Assign the role proper capabilities
The instructions cover enabling or disabling object capabilities for ITSI roles in authorize.conf in Splunk Enterprise. Because this option is not available in Splunk Cloud Platform, you can instead use use Splunk Web to create and manage roles.
Prerequisites
- Only users with file system access, such as system administrators, can assign object capabilities using a configuration file.
- Review the steps in How to edit a configuration file in the Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.
Steps
- Open or create a local copy of authorize.conf in
$SPLUNK_HOME/etc/apps/itsi/local/
directory. - In the local file, enable or disable the appropriate capabilities for ITSI-specific roles. To disable a capability, replace
enabled
withdisabled
or delete the capability from the file. For an example, see Enable or disable ITSI capabilities for a role.
Step 2: Grant the role access to ITSI indexes
By default, all ITSI-specific roles have access to ITSI indexes. If you create a custom role in ITSI, assign the role access to the ITSI indexes.
If you do not update the roles with the correct indexes, searches and other objects that rely on data from unassigned indexes do not update or display results.
- Click Settings > Roles (or Settings > Access controls > Roles on Splunk versions prior to 8.1.0)
- Open the custom role.
- Go to the Indexes tab.
- Check the box in the Included tab for each of the following indexes:
anomaly_detection
itsi_grouped_alerts
itsi_notable_archive
itsi_notable_audit
itsi_summary
itsi_summary_metrics
itsi_tracked_alerts
snmptrapd
(optional, used only if you're collecting SNMP traps)
- Click Save.
- (Optional) Repeat for additional roles, as needed.
Step 3: Assign the role proper view-level access
ITSI includes default entries in itsi/metadata/default.meta
that determine access for ITSI roles to specific ITSI views. By default, only itoa_admin
has read/write permissions for all ITSI views.
Set permissions to ITSI views in Splunk Web
- In Splunk Web, go to Settings > All configurations.
- Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
- Change Visible in the App to Created in the App to narrow the view to only ITSI objects.
- Filter by
views
to only display ITSI views. - For a specific view, click Permissions in the Sharing column.
- Check the boxes to grant read and write permissions for ITSI roles.
- Click Save.
This action updates the access permissions to ITSI views for ITSI roles in $SPLUNK_HOME/etc/apps/itsi/metadata/local.meta
.
Set permissions to ITSI views from the command line
- Create a
local.meta
file in theitsi/metadata/
directory.
cd $SPLUNK_HOME/etc/apps/itsi/metadata cp default.meta local.meta
- Edit
itsi/metadata/local.meta
. - Set access for specific roles in
local.meta
. For example:
[views/glass_tables_lister] access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [itoa_admin]
Step 4: Assign the role KV store collection level access
The SA-ITOA
file includes default entries in metadata/default.meta
that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin
role has read/write/delete access to all ITSI KV store collections.
Set permissions to KV store collections in Splunk Web
- In Splunk Web, go to Settings > All configurations.
- Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
- Make sure Visible in the App is selected.
- Filter by
collections-conf
to only display KV store collections. - For a specific view, click Permissions in the Sharing column.
- Check the boxes to grant read and write permissions to the various collections for ITSI roles.
- Click Save.
This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta
.
Set permissions to KV store collections from the command line
- Create a
local.meta
file in theSA-ITOA/metadata/
directory.
cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata cp default.meta local.meta
- Edit
SA-ITOA/metadata/local.meta
.
- Set access for specific roles in
local.meta
. For example:
[collections/itsi_services] access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]
Configure users and roles in ITSI | ITSI capabilities reference |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!