Manage roles and capabilities for Splunk Mission Control users
Assign users to roles and add capabilities to those roles to manage their access to functionality and data in Splunk Mission Control.
Comparing Splunk admin roles with the Splunk Mission Control admin
The following table describes how Splunk Mission Control capabilities compare between different Splunk admin roles:
| Admin role | Description |
|---|---|
| mc_admin | In Splunk Mission Control, mc_admin is the name of the admin role. Users with the mc_admin role inherit all Splunk Mission Control capabilities except for the ability to activate or deactivate Splunk Mission Control. |
| sc_admin | In a Splunk Cloud Platform deployment, sc_admin is the name of the admin role. The sc_admin role shares the same capabilities as the mc_admin role, but also includes the ability to activate or deactivate Splunk Mission Control. You must have the sc_admin role to edit roles for users. Specifically, you must have the edit_roles_grantable capability, which is included in the sc_admin role. |
| ess_admin | In a Splunk Enterprise Security (Cloud) deployment, ess_admin is the name of the admin role. The ess_admin role shares the same capabilities as the mc_admin role and is treated the same as mc_admin in Splunk Mission Control. |
If you are a user with the mc_admin, sc_admin, ess_admin, or admin role in Splunk Mission Control, you are automatically granted the Administrator role in Splunk SOAR.
View and assign user roles
You can view your assigned roles as a user of Splunk Mission Control by selecting Settings and then Roles from Splunk Web. As a user with the sc_admin role, you can also edit, create, and assign roles. For more information, see Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual. To assign many roles at once, see Use role inheritance to group roles together.
If you have an admin role in a Splunk security product, you can add users and manage their roles and capabilities across Splunk security products all from one location in Splunk Cloud Platform.
If you are a Splunk SOAR (Cloud) admin, you can't create users or roles in the Splunk SOAR (Cloud) interface after you activate Splunk Mission Control. Instead, you must manage roles and capabilities for users from Splunk Cloud Platform.
As a user of Splunk Enterprise Security (Cloud), you have several new roles in addition to the default roles provided by Splunk Cloud Platform. The new roles allow a Splunk administrator to assign access to specific functions in Splunk Enterprise Security (Cloud) based on a user's access requirements. For example, if you have the ess_analyst role in Splunk Enterprise Security (Cloud), the mc_analyst_edit_default capability is automatically imported, allowing Splunk Enterprise Security (Cloud) analysts the permission to work with Splunk Mission Control incidents. For more information on users and roles in Splunk Enterprise Security (Cloud), see Configure users and roles in the Splunk Enterprise Security (Cloud) Installation and Upgrade Manual.
Roles available to assign to Splunk Mission Control users
Splunk Mission Control includes several roles that you can assign to users to manage their access to certain functionality. The following table describes the roles available for Splunk Mission Control users and lists the included capabilities for each role.
| Role name | Description | Included Splunk Mission Control capabilities |
|---|---|---|
| mc_admin | Assign to users who must have access to every part of the system. Users with the mc_admin role inherit all Splunk Mission Control capabilities except for the ability to activate or deactivate Splunk Mission Control. | mc_delete_soar_assets mc_delete_soar_custom_lists mc_edit_soar_apps mc_edit_soar_assets mc_edit_soar_custom_lists mc_edit_soar_system_settings mc_health_report mc_incident_settings_edit mc_incident_settings_read mc_incident_sla_settings_edit mc_incident_sla_settings_read mc_response_template_edit mc_response_template_view mc_soar_proxy_execute mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_analyst_all_edit | Assign to users who need to view and edit all incidents on the incident review page. | mc_health_report mc_incident_sla_settings_read mc_response_template_view mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_analyst_edit_<incident-type> | Assign to users who need to view and edit incidents of only a particular incident type on the incident review page. | mc_health_report mc_incident_sla_settings_read mc_response_template_view mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_analyst_read_<incident-type> | Assign to users who need to view, but not edit, incidents of a particular incident type on the incident review page. | mc_health_report mc_incident_read mc_incident_sla_settings_read mc_response_template_view mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_observer | Assign to users who need to view, but not edit, all incidents on the incident review page. | mc_health_report mc_incident_sla_settings_read mc_response_template_view mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_asset_owner | Assign to Splunk Mission Control users who need to create, edit, and delete Splunk SOAR assets and who also need to view system settings, apps or connectors, and users and roles from Splunk SOAR. | mc_delete_soar_assets mc_edit_soar_assets mc_view_soar_apps mc_view_soar_assets mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_automation_engineer | Assign to Splunk Mission Control users who need to create, edit, and delete Splunk SOAR custom lists and who also need to view apps, assets, custom lists, system settings, and users and roles from Splunk SOAR. | mc_delete_soar_custom_lists mc_edit_soar_custom_lists mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_incident_commander | Assign to Splunk Mission Control users who need to create and edit, but not delete, Splunk SOAR custom lists and who also need to view apps, assets, system settings, and users and roles from Splunk SOAR. | mc_edit_soar_custom_lists mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_observer | Assign to Splunk Mission Control users who need to view assets, system settings, custom lists, apps or connectors, and users and roles from Splunk SOAR. Users with this role can't edit or delete Splunk SOAR custom lists. | mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_repo_edit_<repo_name> | Assign to users who need to view, edit, and delete playbooks in a particular <repo_name> and who also need to edit playbook code in <repo_name>. | mc_delete_soar_assets mc_delete_soar_custom_lists mc_edit_soar_apps mc_edit_soar_assets mc_edit_soar_custom_lists mc_edit_soar_system_settings mc_health_report mc_incident_read mc_incident_settings_edit mc_incident_settings_read mc_incident_sla_settings_edit mc_incident_sla_settings_read mc_response_template_edit mc_response_template_view mc_soar_proxy_execute mc_trigger_backfill mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_repo_execute_<repo_name> | Assign to users who need to view and run, but not edit or delete, actions and playbooks in a particular <repo_name>. | mc_display_id mc_health_report mc_incident_read mc_incident_settings_edit mc_incident_settings_read mc_incident_sla_settings_edit mc_incident_sla_settings_read mc_response_template_edit mc_response_template_view mc_soar_proxy_execute mc_trigger_backfill mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_repo_view_<repo_name> | Assign to users who need to view, but not edit or delete, playbooks of a particular <repo_name>. | mc_display_id mc_health_report mc_incident_read mc_incident_settings_edit mc_incident_settings_read mc_incident_sla_settings_edit mc_incident_sla_settings_read mc_response_template_edit mc_response_template_view mc_soar_proxy_execute mc_trigger_backfill mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| mc_soar_system_edit | Assign to users to allow the Universal Forwarder modular input to send credentials to Splunk SOAR. | mc_edit_soar_system_settings |
| mc_soar_proxy | Assign to users to allow the Splunk SOAR proxy user to access Splunk Mission Control endpoints. | mc_delete_soar_assets mc_delete_soar_custom_lists mc_edit_soar_apps mc_edit_soar_assets mc_edit_soar_custom_lists mc_edit_soar_system_settings mc_display_id mc_health_report mc_incident_read mc_incident_settings_edit mc_incident_settings_read mc_incident_sla_settings_edit mc_incident_sla_settings_read mc_response_template_edit mc_response_template_view mc_soar_proxy_execute mc_trigger_backfill mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
After you assign new mc_soar roles to a user, there might be up to a 1-hour delay before your changes reflect in both Splunk Mission Control and Splunk SOAR (Cloud).
Splunk Mission Control includes a few roles for internal use only. Don't use or modify the following roles: mc_analyst, mc_analyst_reader, and mc_soar_automation.
Manage indexes for roles in Splunk Mission Control
Each role in Splunk Mission Control includes access to various indexes. With each particular index, you can use particular features. The following indexes affect functionality in Splunk Mission Control:
| Index | Function |
|---|---|
| mc_artifacts | View risk-based alerting (RBA) scores for summary fields in an incident investigation. |
| mc_aux_incidents | View incidents on the Incident review page. |
| mc_events | View events in the Events tab of your incident investigation. |
| phantom_action_run | Search for action run logs from Splunk SOAR. |
| phantom_playbook_run | Search for playbook run logs from Splunk SOAR. |
The following roles automatically have access to the indexes specific to Splunk Mission Control:
- ess_admin
- ess_analyst
- mc_admin
- mc_analyst
- sc_admin
If you want to access an index specific to Splunk Mission Control using another role, you must add the index to the role. For example, if you have the mc_observer role and you want to view events in the Events tab of your incident investigation, then you must add the mc_events index to the mc_observer role.
To add indexes to a role, complete the following steps:
- From Splunk Cloud Platform, select Settings and then Roles.
- Select the role you want to modify.
- Select Indexes.
- Add an index to the role by selecting the Included check box.
- (Optional) Select the Default check box to automatically use this index in a search when you don't specify any index.
- (Optional) To remove an index from the role, deselect the Included check box.
- Select Save.
Splunk Mission Control default users
Splunk Mission Control automatically creates the following user accounts after you activate the app. Each user has assigned capabilities for Splunk SOAR (Cloud) functionality in Splunk Mission Control.
| User | Description | Assigned Splunk Mission Control capabilities |
|---|---|---|
| soar_automation_user | Handles automation tasks such as running actions and playbooks. As a user of Splunk Mission Control, you can't create alternate automation users in the Splunk SOAR user interface. The soar_automation_user credentials are never shared outside of Splunk Mission Control. |
mc_edit_soar_custom_lists mc_edit_soar_system_settings mc_health_report mc_incident_read mc_incident_sla_settings_read mc_response_template_view mc_view_im_data mc_view_soar_apps mc_view_soar_assets mc_view_soar_custom_lists mc_view_soar_system_settings mc_view_soar_users_roles |
| soar_proxy_user | Shares Splunk Mission Control API access to a paired Splunk SOAR (Cloud) instance. The paired Splunk SOAR (Cloud) instance only has access to Splunk Mission Control REST APIs and not to any other Splunk app REST APIs. This user does not have any capabilities from the default Splunk user role. |
mc_soar_proxy_execute |
| soar_system_settings_operator | Sends Universal Forwarder configurations to a paired Splunk SOAR (Cloud) instance. Only the paired Splunk SOAR (Cloud) instance has access to the generated Universal Forwarder. This user does not have any capabilities from the default Splunk user role. |
mc_edit_soar_system_settings |
User capabilities in Splunk Mission Control
You can update the capabilities of a role assigned to a user. If you're using a custom admin role and want to share the same capabilities as the mc_admin role, make sure to add all of the mc_admin role capabilities listed in the following table.
Do not remove capabilities from the roles included with Splunk Mission Control. Removing capabilities from default roles can affect the functionality, including Splunk SOAR functionality, in Splunk Mission Control.
The following table describes what each Splunk Mission Control capability allows you to do:
| Capability | Description |
|---|---|
| edit_missioncontrol_agreements | Accept the initial user agreement and activate or deactivate Splunk Mission Control. |
| edit_intelligence_management | Create, edit, delete, and activate intelligence workflows with Threat Intelligence Management in Splunk Mission Control. |
| mc_delete_soar_asset | Delete assets in Splunk SOAR (Cloud). |
| mc_edit_soar_apps | Edit apps in Splunk SOAR (Cloud). |
| mc_edit_soar_assets | Edit assets in Splunk SOAR (Cloud). |
| mc_health_report | Call the health report endpoint on Splunk Mission Control. |
| mc_incident_settings_read | View the Splunk Mission Control settings page. |
| mc_incident_settings_edit | Edit Splunk Mission Control settings. |
| mc_response_template_view | View response templates. |
| mc_response_template_edit | Edit response templates. |
| mc_trigger_backfill | Trigger all incidents in the backfill to get pushed directly to Splunk SOAR. |
| mc_view_soar_apps | View apps in Splunk SOAR (Cloud). |
| mc_view_soar_assets | View assets in Splunk SOAR (Cloud). |
| mc_incident_sla_settings_read | View the Splunk Mission Control incident settings SLA page. |
| mc_incident_sla_settings_edit | Edit the Splunk Mission Control incident SLA settings. |
| mc_view_soar_system_settings | View system settings in Splunk SOAR (Cloud). |
| mc_edit_soar_system_settings | Edit system settings in Splunk SOAR (Cloud). |
| mc_view_soar_custom_lists | View custom lists in Splunk SOAR (Cloud). |
| mc_edit_soar_custom_lists | Edit custom lists in Splunk SOAR (Cloud). |
| mc_delete_soar_custom_lists | Delete custom lists in Splunk SOAR (Cloud). |
| mc_view_soar_users_roles | View users and their roles in Splunk SOAR (Cloud). |
| mc_view_im_data | Access Threat Intelligence Management data. |
Edit and delete are separate capabilities in Splunk Mission Control. Edit capabilities don't include the capability to delete.
Splunk Mission Control includes a few capabilities for internal use only. Don't add the following capabilities to roles: mc_display_id and mc_soar_proxy_execute.
Allow users to activate or deactivate Splunk Mission Control
To allow a user to activate or deactivate Splunk Mission Control, you must assign them a role with the edit_missioncontrol_agreements capability, or you can add that capability manually. For example, the sc_admin role includes this capability, so users with the sc_admin role, or a role that imports the sc_admin role, can activate or deactivate Splunk Mission Control. See User capabilities in Splunk Mission Control to learn more about capabilities and which roles they're assigned to.
Allow users to access actions and playbooks in Splunk Mission Control
Users need particular roles and capabilities to use Splunk SOAR actions and playbooks in Splunk Mission Control. To learn more about actions and playbooks, see Automate incident response with playbooks and actions in Splunk Mission Control. To view and manage roles and capabilities for users, select Settings then Roles from Splunk Cloud Platform.
If you are a Splunk SOAR (Cloud) admin, you can't create users or roles in the Splunk SOAR (Cloud) interface after you activate Splunk Mission Control. Instead, you must manage roles and capabilities for users from Splunk Cloud Platform.
Assign roles and capabilities to run actions
To view and run actions in Splunk Mission Control, you must have the view capabilities for Splunk SOAR assets, apps, and custom lists. To allow a user to view the available actions to run on an incident, make sure the user's role has the following capabilities:
- mc_view_soar_apps
- mc_view_soar_assets
- mc_view_soar_custom_lists
You can assign these capabilities to a user by adding the capabilities to an existing role or by creating a new role.
To run an action, a user must also have any mc_soar_repo_execute_<repo_name> role.
The mc_observer role includes the Splunk SOAR view capabilities required to view available actions. To allow a user to run actions, assign any mc_soar_repo_execute_<repo_name> role, and then either add the required view capabilities to the role or assign the mc_observer role as well so that the user inherits those capabilities automatically.
Assign roles and capabilities to view, edit, and run playbooks
To use playbooks in Splunk Mission Control, you must have the view capabilities for Splunk SOAR assets, apps, and custom lists. To allow a user to view the available playbooks to run on an incident, make sure the user's role has the following capabilities:
- mc_view_soar_apps
- mc_view_soar_assets
- mc_view_soar_custom_lists
You can assign these capabilities to a user by adding the capabilities to an existing role or by creating a new role. For example, if you want to assign a custom role to a user who needs to view playbooks, create a new role, and then add the view capabilities for Splunk SOAR assets, apps, and custom lists to the role.
To add the capabilities to an existing role, start by assigning the user one of the following roles for different playbook access types:
- Edit: Assign the mc_soar_repo_edit_<repo_name> role for users who need to view, edit, and delete playbooks in a repository named <repo_name> and who also need to edit playbook code in a repository named <repo_name>.
- Run: Assign the mc_soar_repo_execute_<repo_name> role for users who need to view and run playbooks in a repository named <repo_name>.
- View: Assign the mc_soar_repo_view_<repo_name> role for users who need to only view playbooks of a particular repository named <repo_name>.
Then, add the view capabilities for Splunk SOAR assets, apps, and custom lists to the role.
Use role inheritance to group roles together
In Splunk Mission Control, after you have roles with several incident types, you might find it difficult to manage assigning these roles to users. You can create your own roles to group these roles together. To accomplish this, follow these steps:
- Create a new role in Splunk Cloud Platform.
- Use role inheritance to add related roles to the role.
- Then, assign this new role to users.
For example, you can create a new "phishing_group" role and then add the roles with incident types related to phishing to it. See Add or edit a role in the Securing Splunk Cloud Platform manual.
As you create more incident type roles, you can add them to your new role groupings so that you don't have to assign many individual roles to users.
| Customize Splunk Mission Control incident settings | Modify app level permissions for Splunk Mission Control |
This documentation applies to the following versions of Splunk® Mission Control: Current
Download manual
Feedback submitted, thanks!