Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Configure users and roles

Splunk App for PCI Compliance uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.

Authentication methods

The Splunk platform supports several methods of user authentication. Splunk platform built-in user authentication takes precedence over any configured external authentication. See About user authentication in Securing Splunk Enterprise.

Users and roles in the Splunk App for PCI Compliance

In Splunk platform, the admin role has (almost) complete administrative access, and that role inherits all capabilities of the other roles. All Splunk platform roles describe additive powers which are potentially inherited by other roles. This design avoids potential conflicts between the capabilities of two or more roles.

Splunk platform has three predefined user roles: admin, power, user. The Splunk App for PCI Compliance adds three additional predefined user roles: pci_admin, pci_analyst, pci_user. Assign all Splunk App for PCI Compliance users appropriate roles in order to perform their duties.

There are three conceptual categories of PCI compliance users used by the Splunk App for PCI Compliance:

  • PCI Compliance Manager: Reviews PCI Compliance Posture, Protection Centers, and Audit dashboards in order to understand current PCI Compliance Posture of the organization. PCI Compliance Managers generally do not configure the product or manage incidents.
  • PCI Compliance Analyst: Uses PCI Compliance Posture and Incident Review dashboards to manage and investigate PCI compliance incidents. PCI Compliance Analyst are also responsible for reviewing Protection Centers and providing direction on what constitutes a PCI compliance incident. Generally, they define the thresholds used by correlation searches and dashboards. A PCI Compliance Analyst needs to be able to edit correlation searches and create suppressions.
  • PCI Compliance Administrator: Installs and maintains Splunk Enterprise and Splunk Apps. This user is responsible for configuring workflow, new data sources, tuning of rules, and troubleshooting the application.

Each user type requires different levels of access to perform its assigned functions. The following table outlines the various capabilities required by the different functions.

Role PCI Compliance Manager PCI Compliance Analyst PCI Compliance Administrator
pci_user capabilities yes yes yes
pci_analyst capabilities yes yes
admin capabilities yes

In the following table, each row inherits the role of the rows above it, and the capabilities of that role.

Splunk role Inheritance Notes
user Inherits no other roles by default and cannot perform real-time searches. View PCI compliance dashboards and search notable event indexes.
pci_user Inherits the user role. Have all the capabilities of a user, plus the ability to perform real-time searches. This role is assigned by a pci_admin.
power Inherits the user role but does not inherit the pci_user role. Have all the capabilities of a user, in addition to the ability to perform real-time searches.
The capabilities of pci_user and power are the same. However, you should use the pci_user role for PCI compliance users to facilitate upgrades with future capabilities.
pci_analyst Inherits the power and user roles' capabilities. Can own notable events and perform workflow status transitions. This role is assigned by a pci_admin.
pci_admin Provides a grouping of capabilities necessary to administer the product. It inherits pci_analyst, pci_user, power, and user roles. Can perform all capabilities of a pci_analyst and pci_user.
Can edit correlation searches, edit review statuses, own notable events, and perform all workflow transitions. The pci_admin can also create and assign custom PCI compliance roles.
The pci_admin role is a "container" for capabilities required to administer PCI compliance only.
admin The admin role inherits pci_admin, pci_analyst, pci_user, power, and user role capabilities. Can administer the Splunk App for PCI Compliance with no additional capabilities. All Splunk Enterprise administrators are assumed to be PCI compliance administrators.

Role inheritance

All role inheritance is preconfigured in Splunk App for PCI Compliance. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see Add and edit roles and Securing Splunk in Securing Splunk Enterprise.

Add capabilities to a role

Capabilities control the level of access that roles have to various features in the Splunk App for PCI Compliance. Use the Permissions page in the Splunk App for PCI Compliance to review and change the capabilities assigned to a role.

  1. On the Splunk App for PCI Compliance menu bar, select Configure > General > Permissions.
  2. Find the role you want to update.
  3. Find the ES Component you want to add.
  4. Select the check box for the component for the role.
  5. Save.

Capabilities specific to Splunk App for PCI Compliance

Splunk App for PCI Compliance uses custom capabilities to control access to PCI-specific features.

Add capabilities on the permissions page in Splunk App for PCI Compliance to make sure that the proper access control lists (ACLs) are updated. The permissions page makes the ACL changes for you. If you add these custom capabilities on the Splunk platform settings page, you must update the ACLs yourself.

Function in Splunk App for PCI Compliance Description Capability
Create new notable events Create ad-hoc notable events from search results. See Manually create a notable event. edit_tcp
edit_notable_events
Edit correlation searches Edit correlation searches on Content Management. See Configure correlation searches. edit_correlationsearches
schedule_search
Edit Distributed Configuration Management Use distributed configuration management.
Edit ES navigation Make changes to the Splunk App for PCI Compliance navigation. edit_es_navigation
Edit glass tables Create and modify glass tables. Not relevant for the Splunk App for PCI Compliance. edit_glasstable
Edit identity lookup configuration Manage the configuration of identity lookups and restrict asset and identity correlation. Not relevant for the Splunk App for PCI Compliance. edit_identitylookup
Edit Incident Review Make changes to Incident Review settings. See Customize Incident Review. edit_log_review_settings
Edit lookups Make changes to lookup table files. edit_lookups
Edit notable event statuses Make changes to the statuses available to select for notable events. See Managing and monitoring notable event statuses. edit_tcp
edit_notable_events
transition_reviewstatus-X to Y
Edit notable event suppressions Create and edit notable event suppressions. See Create and manage notable event suppressions. edit_suppressions
Edit notable events Make changes to notable events, such as assigning them. edit_notable_events
edit_tcp
Edit per-panel filters Create and manage per-panel filters for dashboards. edit_per_panel_filters
Edit threat intelligence Create and modify threat intelligence download settings. edit_modinput_threatlist
Edit timelines Create and edit investigation timelines. Only roles with this capability can make changes to investigation timelines. See Investigation bar. edit_timelines
Manage configurations Make changes to the general settings or the list of editable lookups. edit_managed_configurations
Own notable events Allows the role to be an owner of notable events. See Notable Events. can_own_notable_events
Search-driven lookups Create lookup tables that can be populated by a search. edit_managed_configurations
schedule_search
Export content Export content from Content Management as an app. edit_correlationsearches
Credential Manager Manage credentials for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page. admin_all_objects

Adjust the concurrent searches for a role

Splunk platform defines a limit on concurrently running searches for the user and power roles by default. You may want to change those concurrent searches for some roles.

  1. On the Splunk App for PCI Compliance menu bar, select Configure > General > General Settings.
  2. Review the limits for roles and change them as desired.
Item Description
Search Disk Quota (admin) The maximum disk space (MB) a user with the admin role can use to store search job results.
Search Jobs Quota (admin) The maximum number of concurrent searches for users with the admin role.
Search Jobs Quota (power) The maximum number of concurrent searches for users with the power role.

To change the limits for roles other then admin and power, edit the authorize.conf file to update the default search quota. See the authorize.conf.example in the Admin manual.

Configure the roles to search multiple indexes

Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. Splunk platform configures all roles to search only the main index by default. See About configuring role-based user access

To allow roles in Splunk App for PCI Compliance to search additional indexes, assign the indexes that contain relevant security data to the relevant roles.

  1. Select Settings > Access Controls.
  2. Click Roles.
  3. Click the role name that you want to allow to search additional indexes.
  4. Select the desired Indexes searched by default and Indexes that this role can search. Do not include summary indexes, as this can cause a search and summary index loop.
  5. Save your changes.
  6. Repeat for additional roles as needed.

If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update or display results.

For more information on the reasons for multiple indexes, see Why have multiple indexes? in Managing Indexers and Clusters of Indexers.

PREVIOUS
Configure and deploy indexes
  NEXT
Reports in the Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters