Implement teams in ITSI
Implement teams to restrict service-level information to only the departments or organizations that need access to it. Teams empower domain experts in different areas within an organization to create and monitor the services that pertain to their department.
- See Overview of teams in ITSI to determine whether you need to implement teams for your organization.
- Plan out what teams you need to create in ITSI. You can create teams for technology areas or for different departments within your organization. Create a team for every area that needs a separate view of ITSI service-level data or that needs to be administered independently within ITSI.
- Create team admin roles to administer each team and assign users to those roles.
- Create custom analyst and user roles for each team.
- Create teams and assign read/write permissions to the team admin roles you created.
- Create services within teams.
Step 1: Create roles to administer your teams
After you determine the teams you are going to create in ITSI, create roles to administer the services in each team.
- Create a role in the Splunk platform for each ITSI team admin.
- Configure the roles to inherit from the
itoa_team_adminrole in order to obtain the appropriate capabilities.
- Assign users to each team admin role you created.
For example, the Splunk administrator creates an
itoa_finance_admin role that inherits from the
itoa_team_admin role for the administrator of the Finance team. The Splunk admin then assigns the Finance team administrator to the
Splunk Cloud administrators need to request Splunk Support to create the custom roles needed for teams.
Step 2: Create custom roles within each team
Create custom roles for the ITSI analysts and users in each team. For example, create an
itoa_finance_analyst role that inherits from the
itoa_analyst role for the analysts in the Finance department. Create an
itoa_finance_user role that inherits from the
itoa_user role for the users in the Finance department. You can then assign permissions to the Finance team without allowing access to analysts and users from other departments.
You must configure the itoa_admin role to inherit from the custom roles you create. Otherwise, the itoa_admin role cannot assign permissions to the custom roles. Alternatively, use the admin role to assign permissions.
Step 3: Create teams
Create teams to group services by department, organization, or type of service and control access to the services.
- You must have the
itoa_adminrole to create a team.
- Before you create a team, you must create the team admin role that will administer the team so that you can assign permissions to the role when creating the team. See Create roles to administer your teams for information.
- Click Configure > Teams.
- Click Create Team.
- Provide a team name and description. Duplicate team names are allowed, but be aware of other team names and use naming conventions to avoid confusion.
- Assign read or write access to the listed roles as appropriate. The
itoa_adminrole has read/write permissions by default. If a role has write permissions for a team, a user with this role can create and modify services in the team. The user can't delete a service in the team unless the role has the delete capability for a service.
- Click Create.
If you do not see the custom team admin role listed for which you want to assign permissions, make sure the role has been created and inherits from the
itoa_team_admin role. If you are logged in using the
itoa_admin role, rather than the
admin role, also make sure that the
itoa_admin role inherits from the custom team admin role and any other custom roles you have created.
Open a team to see the services that belong to it or to review or change team permissions.
Step 4: Create services within each team
After the administrator creates teams, the team admins that are assigned read/write permissions can create services within their teams. When creating a service, a team admin can assign it to any team for which they have read/write permissions. ITSI administrators can also create services in private teams.
Team admins can access all of the KPI base searches, KPI templates, and entities in the Global team when creating services in their private teams. Team admins can also create dependencies on services in the Global team or within the same team. You cannot create service dependencies between services in different private teams. See Overview of creating services in ITSI for more information.
Team admins with a role that inherits from the
itoa_team_admin role cannot bulk import services or entities.
Move a service to a different team
Moving a service from one team to another team breaks service dependencies if the service is dependent on another service that cannot be accessed from the new team. If a service is dependent on another service within the same team and one of the services is moved to another team, that dependency is broken. A service in a private team cannot have a dependency on a service in another private team.
You must have write permissions for both teams to move a service from one team to another.
- Click Configure > Teams
- Select the team containing the service you want to move.
- Select the name of the service you want to move.
- Click the Settings tab and select the team to move it to in the Team dropdown.
- Click Save.
To move more than one service at a time, go to the Services lister page and select the checkboxes next to the services you want to move. Click Bulk Actions > Edit Team and select the team to move the services to.
Overview of teams in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1