Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Manage roles and permissions in Splunk Phantom

Roles in Splunk Phantom serve the following purposes:

View your Splunk Phantom roles

To view the roles configured in your Splunk Phantom instance, perform the following steps to access the Roles page:

  1. From the main menu, select Administration.
  2. Select User Management > Roles & Permissions.

Splunk Phantom includes the following default roles that can't be edited or deleted:

Role Description
Administrator Users with this role have view, edit, and delete privileges to and can access all Splunk Phantom functions and settings:
  • View, edit, and delete permissions for everything
  • Manage users and accounts
  • Change any and all Splunk Phantom settings
  • Install or remove apps or connectors
  • Create, edit, and delete Assets
  • Create, edit, and delete playbooks
Asset Owner Users with this role can create and edit assets, and view all other parts of the system.
Automation This is a service account role used for automated tasks including REST API operations, playbook execution, and ingestion.
Automation Engineer Users with this role can view and execute playbooks (but not edit or create them), and view everything else.
Incident Commander Users with this role are the equivalent of users with the Administrator role. They can edit containers and system settings, edit and execute playbooks, and view everything.
Observer Users with this role can view everything, but cannot edit nor execute anything.

Users granted multiple roles have the cumulative privileges of all the roles. You can also restrict access to specific named objects. See Named object permissions.

Add a role to Splunk Phantom

Perform the following steps to add a new role in Splunk Phantom:

  1. From the Main Menu, select Administration.
  2. Select User Management > Roles & Permissions.
  3. Click + Role.
  4. Enter a name for the role.
  5. (Optional) Enter a description for the role.
  6. Select the Basic Permissions provided by this role.
    Component Permission and Description
    Apps
    • Select Edit to allow the user to add or delete apps, or edit settings on individual apps.
    • Select View to allow the user to view the list of installed apps, and view the settings for individual apps.
    Assets
    • Select Delete to allow the user to delete assets. Note that the user will also need view assets in order to see the asset before they can edit it.
    • Select Edit to allow the user add and edit assets.
    • Select View to allow the user the ability to look at the list of assets and individual asset configurations.
    Cases
    • Select Delete to allow the user to delete cases.
    • Select Edit to allow the user to create and edit cases.
    • Select View to allow the user to view cases.
    Events
    • Select Delete to allow the user to delete events.
    • Select Edit to allow the user to modify events. This includes data about the event itself (assigned owner, SLA) as well as being able to add items to artifacts and files.
    • Select View to allow the user to view events. This includes both the list of events, as well as the contents of individual events.
    Custom Lists
    • Select Delete to allow the user to delete custom lists.
    • Select Edit to allow the user to create and edit custom lists.
    • Select View to allow the user to view custom lists.
    Playbooks
    • Select Delete to allow the user to delete playbooks.
    • Select Edit to allow the user to edit playbooks, including modifying the playbook settings such as logging, active, safe mode, and draft mode. For more information on playbook settings, see View or edit playbook settings in Splunk Phantom in the Build Playbooks with the Visual Editor manual.
    • Select View to allow the user to view playbooks.
    • Select Execute to allow the user to execute playbooks on events.
    • Select Edit Code to allow playbook authors to manually edit Python code and customize code blocks. Authors without this permission can only use the visual block editor.
    System Settings
    • Select Edit to allow the user to change System Settings.

      The System Settings include authentication servers. Users with edit system settings have the ability to perform a privilege escalation attack.

    • Select View to allow the user to view system settings.
    Users and Roles
    • Select Edit to allow the user to edit, delete and add users and roles. Security note: a user with Edit permission can grant themselves all other privileges. They should be considered equivalent to an administrator.
    • Select View to allow the user to view users and roles, including what role each user has, email addresses, and last login time.
  7. Click Label Permissions to configure label permissions for this role. The labels you see in the table depend on the labels you have defined on your Splunk Phantom instance. See Create additional custom status labels in Splunk Phantom. The following permissions can be configured:
    Permission Description
    Delete The user can delete any object in Splunk Phantom that has this label. Clicking this automatically grants the Edit and View permissions.
    Edit The user can edit any object in Splunk Phantom that has this label. Clicking this automatically grants the View permission.
    View The user can view any object in Splunk Phantom with this label, but cannot modify or delete any such objects.
  8. Click Repository Permissions to configure repository permissions for this role. The repositories you see in the table depend on the repositories configured on your Splunk Phantom instance. See Configure a source control repository for your Splunk Phantom playbooks. The following permissions can be configured:
    Permission Description
    Delete The user can delete any playbook in this repository. Clicking this automatically grants the Edit and View permissions.
    Edit The user can edit any playbook in this repository. Clicking this automatically grants the View permission.
    View The user can view any playbook in this repository, but cannot modify or delete any playbooks.
    Execute The user can run any playbook in this repository.
  9. If multi-tenancy is configured and enabled on your system, click Tenant Permissions to configure tenant permissions for this role. See Configure multiple tenants on your Splunk Phantom instance. The following permissions can be configured:
    Permission Description
    Delete The user can delete any container assigned to this tenant. Clicking this automatically grants the Edit and View permissions.
    Edit The user can edit any container assigned to this tenant. Clicking this automatically grants the View permission.
    View The user can view any container assigned to this tenant, but cannot modify or delete any containers.
  10. Click Create Role.

Add users to a role in Splunk Phantom

Perform the following steps to add users to a role in Splunk Phantom:

  1. From the Main Menu, select Administration.
  2. Select User Management > Roles & Permissions.
  3. Click the role you want to edit and add users to.
  4. Click Add Users.
  5. Select a user from the drop-down list, or start typing a username to filter the users that are displayed.
  6. Click Add.
  7. Repeat and continue adding users as desired. Each time a user is added, the user card appears in the Users field in the role.

Edit a role in Splunk Phantom

Perform the following steps to edit a Splunk Phantom role:

  1. From the Main Menu, select Administration.
  2. Select User Management > Roles & Permissions.
  3. Select a custom role you want to modify. You can modify any of the permissions in a custom role, add users or remove users. When editing a system role, you can only add or remove users.
    • Users added to a role have their permissions saved in real time, before you click Save Changes.
    • Permission changes to roles are applied in real time to the users who are granted the updated permissions, before you click Save Changes.
    • Users inheriting roles from an SSO provider must log out and log back in to Splunk Phantom to see their updated permissions.
  4. Click Save Changes.

Delete a role in Splunk Phantom

Perform the following tasks to delete a role in Splunk Phantom:

  1. From the Main Menu, select Administration.
  2. Select User Management > Roles & Permissions.
  3. Click the role you want to delete.
  4. Click Delete Role.
  5. Click Delete to confirm that you want to delete the role.
Last modified on 06 May, 2021
Manage Splunk Phantom users   Configure password requirements and timeout intervals to secure your Splunk Phantom accounts

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters