Splunk® IT Service Intelligence

Administration Manual

Create a custom role in ITSI

If you create a new role that does not inherit from one of the standard ITSI roles, you need to do four things to ensure the custom role has the appropriate level of access in ITSI:

  1. Assign the role proper capabilities.
  2. Grant the role access to ITSI indexes.
  3. Assign the role proper view-level access.
  4. Assign the role KV store collection level access.

For example, in order to assign a new role write permissions to a deep dive, that new role must first be assigned the write_deep_dives capability. The new role must also have write access to the saved_deep_dives_lister view, and write access to the itsi_pages collection.

Step 1: Assign the role proper capabilities

The instructions cover enabling or disabling object capabilities for ITSI roles in authorize.conf in Splunk Enterprise. Because this option is not available in Splunk Cloud Platform, you can instead use use Splunk Web to create and manage roles.

Prerequisites

  • Only users with file system access, such as system administrators, can assign object capabilities using a configuration file.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.

Steps

  1. Open or create a local copy of authorize.conf in $SPLUNK_HOME/etc/apps/itsi/local/ directory.
  2. In the local file, enable or disable the appropriate capabilities for ITSI-specific roles. To disable a capability, replace enabled with disabled or delete the capability from the file. For an example, see Enable or disable ITSI capabilities for a role.

Step 2: Grant the role access to ITSI indexes

By default, all ITSI-specific roles have access to ITSI indexes. If you create a custom role in ITSI, assign the role access to the ITSI indexes.

If you do not update the roles with the correct indexes, searches and other objects that rely on data from unassigned indexes do not update or display results.

  1. Click Settings > Roles (or Settings > Access controls > Roles on Splunk versions prior to 8.1.0)
  2. Open the custom role.
  3. Go to the Indexes tab.
  4. Check the box in the Included tab for each of the following indexes:
      • anomaly_detection
      • itsi_grouped_alerts
      • itsi_notable_archive
      • itsi_notable_audit
      • itsi_summary
      • itsi_summary_metrics
      • itsi_tracked_alerts
      • snmptrapd (optional, used only if you're collecting SNMP traps)
  5. Click Save.
  6. (Optional) Repeat for additional roles, as needed.

Step 3: Assign the role proper view-level access

ITSI includes default entries in itsi/metadata/default.meta that determine access for ITSI roles to specific ITSI views. By default, only itoa_admin has read/write permissions for all ITSI views.

Set permissions to ITSI views in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
  3. Change Visible in the App to Created in the App to narrow the view to only ITSI objects.
  4. Filter by views to only display ITSI views.
  5. For a specific view, click Permissions in the Sharing column.
  6. Check the boxes to grant read and write permissions for ITSI roles.
  7. Click Save.

This action updates the access permissions to ITSI views for ITSI roles in $SPLUNK_HOME/etc/apps/itsi/metadata/local.meta.

Set permissions to ITSI views from the command line

  1. Create a local.meta file in the itsi/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/itsi/metadata
cp default.meta local.meta
  2. Edit itsi/metadata/local.meta.
  3. Set access for specific roles in local.meta. For example:
    [views/glass_tables_lister]
access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [itoa_admin]

Step 4: Assign the role KV store collection level access

The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections.

Set permissions to KV store collections in Splunk Web

  1. In Splunk Web, go to Settings > All configurations.
  2. Set the App to IT Service Intelligence (itsi). Set the Owner to Any.
  3. Make sure Visible in the App is selected.
  4. Filter by collections-conf to only display KV store collections.
  5. For a specific view, click Permissions in the Sharing column.
  6. Check the boxes to grant read and write permissions to the various collections for ITSI roles.
  7. Click Save.

This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta.

Set permissions to KV store collections from the command line

  1. Create a local.meta file in the SA-ITOA/metadata/ directory.
    cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata
cp default.meta local.meta
  2. Edit SA-ITOA/metadata/local.meta
    3. .
  3. Set access for specific roles in local.meta. For example:
    [collections/itsi_services]
access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]
Last modified on 10 January, 2024
Configure users and roles in ITSI   ITSI capabilities reference

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters