Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Use authorized users to grant authorized access

Authorized Users are enabled by default. Use this setting to toggle whether the Authorized section is visible in the Investigation screen's HUD.

The Authorized control for managing the Authorized Users appears in the Investigation screen if the authorized users are turned on. The control appears in the HUD, accessed by using the double-down chevron pull-down tab.

Access the HUD and Event Info by doing the following:

  1. Click the double-down chevron.
  2. Click the right arrow ( > ) next to Event Info.

The Authorized control is located in the People section.

This toggle is available for viewing and editing if your role has view and edit permissions for the system settings. See Manage roles and permissions in for more information about roles and permissions.

Disable authorized users by doing the following:

  1. From the Home menu, select Administration.
  2. Select Event Settings > Authorized Users.
  3. Click the Enable Authorized Users toggle to the Off position.

Once disabled, the Authorized section is no longer visible in Investigation. Reenabling the Authorized Users makes the Authorized section visible in Investigation and also reenables the authorized access that was previously configured.

Authorized access might not be available for every user in the system by default. Authorized access can only be granted to the subset of users who are already assigned to a label that has edit permissions on the container. For example, some teams only want to allow certain people to work on particular types of cases. Not every user assigned to a label needs access to a particular case.

Grant authorized access by doing the following in Investigation:

  1. Expand the Event Info collapsible section of a container.
  2. Click the edit icon in the Authorized section.
  3. From the Authorized Users drop-down list, select the names of the people who need access.

The Authorized section is visible if you have basic permissions for events with view selected. The Authorized Users drop-down list is editable if you have label permissions for events with view and edit selected.

Administrators always have access to all containers. Normally, you don't need to authorize them. However, if you want to restrict a container to administrators only, set Administrators in the Authorized Users list. Setting specific user names will enable the specific users and administrators.

Last modified on 31 January, 2023
Configure labels to apply to containers   Manage users

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters