Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Configure role based access control inside Splunk Phantom apps

Phantom supports granular asset access control inside of Splunk Phantom apps to ensure that only authorized access to the app is allowed. Asset access control works on an authorized basis, with a default-deny policy.

When granular asset access control is enabled, only users or groups with explicit permissions are able to perform actions in a Splunk Phantom app. Configure user and group permissions on all configured apps before enabling granular asset access control.

The following example shows how to set up a user for a single permission on the Phantom DNS app.

  1. From the Main Menu, select Apps.
  2. Click 1 configured asset to expand the section.
  3. Click Google DNS to edit the asset.
  4. Click the Access Control tab.
  5. Click Edit.
  6. Select lookup domain from the App Action drop-down list.
  7. Select the user Herman Smith and click the right arrow in order to move this user into the Approved Users and Roles area as shown in the following image:
    This screenshot shows the Asset Configuration page for the DNS app. In the App Action drop-down list, the lookup domain action is selected. The user Herman Smith appears in the Approved Users and Roles section.
  8. Click Save.

With your app configured for this role, you can now enable granular asset access control so that these permissions take effect.

  1. From the Main Menu, select Administration.
  2. Select User Management > Asset Permissions.
  3. Check the Enable granular Asset Access Control checkbox.
  4. Confirm that you want to change global asset permissions.
  5. Click Save Changes.
Last modified on 08 June, 2020
Secure Splunk Phantom using two factor authentication   Secure by configuring an account password expiration

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters