Configure users and roles
uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.
The Splunk platform supports several methods of user authentication. Splunk platform built-in user authentication takes precedence over any configured external authentication. See About user authentication in Securing Splunk Enterprise.
Users and roles in the Splunk App for PCI Compliance
In Splunk platform, the
admin role has (almost) complete administrative access, and that role inherits all capabilities of the other roles. All Splunk platform roles describe additive powers which are potentially inherited by other roles. This design avoids potential conflicts between the capabilities of two or more roles.
Splunk platform has three predefined user roles:
user. The Splunk App for PCI Compliance adds three additional predefined user roles:
pci_user. Assign all Splunk App for PCI Compliance users appropriate roles in order to perform their duties.
There are three conceptual categories of PCI compliance users used by the Splunk App for PCI Compliance:
- PCI Compliance Manager: Reviews PCI Compliance Posture, Protection Centers, and Audit dashboards in order to understand current PCI Compliance Posture of the organization. PCI Compliance Managers generally do not configure the product or manage incidents.
- PCI Compliance Analyst: Uses PCI Compliance Posture and Incident Review dashboards to manage and investigate PCI compliance incidents. PCI Compliance Analyst are also responsible for reviewing Protection Centers and providing direction on what constitutes a PCI compliance incident. Generally, they define the thresholds used by correlation searches and dashboards. A PCI Compliance Analyst needs to be able to edit correlation searches and create suppressions.
- PCI Compliance Administrator: Installs and maintains Splunk Enterprise and Splunk Apps. This user is responsible for configuring workflow, new data sources, tuning of rules, and troubleshooting the application.
Each user type requires different levels of access to perform its assigned functions. The following table outlines the various capabilities required by the different functions.
|Role||PCI Compliance Manager||PCI Compliance Analyst||PCI Compliance Administrator|
In the following table, each row inherits the role of the rows above it, and the capabilities of that role.
|user||Inherits no other roles by default and cannot perform real-time searches.||View PCI compliance dashboards and search notable event indexes.|
||Have all the capabilities of a |
||Have all the capabilities of a |
The capabilities of
||Can own notable events and perform workflow status transitions. This role is assigned by a |
|pci_admin||Provides a grouping of capabilities necessary to administer the product. It inherits
||Can perform all capabilities of a |
Can edit correlation searches, edit review statuses, own notable events, and perform all workflow transitions. The
||Can administer the Splunk App for PCI Compliance with no additional capabilities. All Splunk Enterprise administrators are assumed to be PCI compliance administrators.|
All role inheritance is preconfigured in . If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see Add and edit roles and Securing Splunk in Securing Splunk Enterprise.
Add capabilities to a role
Capabilities control the level of access that roles have to various features in the Splunk App for PCI Compliance. Use the Permissions page in the Splunk App for PCI Compliance to review and change the capabilities assigned to a role.
- On the menu bar, select Configure > General > Permissions.
- Find the role you want to update.
- Find the ES Component you want to add.
- Select the check box for the component for the role.
Capabilities specific to
uses custom capabilities to control access to PCI-specific features.
Add capabilities on the permissions page in to make sure that the proper access control lists (ACLs) are updated. The permissions page makes the ACL changes for you. If you add these custom capabilities on the Splunk platform settings page, you must update the ACLs yourself.
|Function in Splunk App for PCI Compliance||Description||Capability|
|Create new notable events||Create ad-hoc notable events from search results. See Manually create a notable event.||edit_tcp |
|Edit correlation searches||Edit correlation searches on Content Management. See Configure correlation searches.||edit_correlationsearches |
|Edit Distributed Configuration Management||Use distributed configuration management.|
|Edit ES navigation||Make changes to the Splunk App for PCI Compliance navigation.||edit_es_navigation|
|Edit glass tables||Create and modify glass tables. Not relevant for the Splunk App for PCI Compliance.||edit_glasstable|
|Edit identity lookup configuration||Manage the configuration of identity lookups and restrict asset and identity correlation. Not relevant for the Splunk App for PCI Compliance.||edit_identitylookup|
|Edit Incident Review||Make changes to Incident Review settings. See Customize Incident Review.||edit_log_review_settings|
|Edit lookups||Make changes to lookup table files.||edit_lookups|
|Edit notable event statuses||Make changes to the statuses available to select for notable events. See Managing and monitoring notable event statuses.||edit_tcp|
transition_reviewstatus-X to Y
|Edit notable event suppressions||Create and edit notable event suppressions. See Create and manage notable event suppressions.||edit_suppressions|
|Edit notable events||Make changes to notable events, such as assigning them.||edit_notable_events|
|Edit per-panel filters||Create and manage per-panel filters for dashboards.||edit_per_panel_filters|
|Edit threat intelligence||Create and modify threat intelligence download settings.||edit_modinput_threatlist|
|Edit timelines||Create and edit investigation timelines. Only roles with this capability can make changes to investigation timelines. See Investigation bar.||edit_timelines|
|Manage configurations||Make changes to the general settings or the list of editable lookups.||edit_managed_configurations|
|Own notable events||Allows the role to be an owner of notable events. See Notable Events.||can_own_notable_events|
|Search-driven lookups||Create lookup tables that can be populated by a search.||edit_managed_configurations |
|Export content||Export content from Content Management as an app.||edit_correlationsearches|
|Credential Manager||Manage credentials for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page.||admin_all_objects|
Adjust the concurrent searches for a role
Splunk platform defines a limit on concurrently running searches for the
power roles by default. You may want to change those concurrent searches for some roles.
- On the menu bar, select Configure > General > General Settings.
- Review the limits for roles and change them as desired.
|Search Disk Quota (admin)||The maximum disk space (MB) a user with the admin role can use to store search job results.|
|Search Jobs Quota (admin)||The maximum number of concurrent searches for users with the admin role.|
|Search Jobs Quota (power)||The maximum number of concurrent searches for users with the power role.|
To change the limits for roles other then
power, edit the
authorize.conf file to update the default search quota. See the authorize.conf.example in the Admin manual.
Configure the roles to search multiple indexes
Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. Splunk platform configures all roles to search only the
main index by default. See About configuring role-based user access
To allow roles in to search additional indexes, assign the indexes that contain relevant security data to the relevant roles.
- Select Settings > Access Controls.
- Click Roles.
- Click the role name that you want to allow to search additional indexes.
- Select the desired Indexes searched by default and Indexes that this role can search. Do not include summary indexes, as this can cause a search and summary index loop.
- Save your changes.
- Repeat for additional roles as needed.
If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update or display results.
For more information on the reasons for multiple indexes, see Why have multiple indexes? in Managing Indexers and Clusters of Indexers.
Configure and deploy indexes
Reports in the Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2