Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Manage users

View the Users page to see the users configured on your instance, add new users, or edit existing users.

Perform the following steps to access the Users page:

  1. From the Home menu, select Administration.
  2. Select User Management > Users.

Changes to the admin user account

With the release of version 6.0, the administrator account has changed. This change was made to better support users with the user name admin in single sign on systems.

Release Administrator account name
5.5.0 and lower admin
6.0.0 and higher soar_local_admin
  • On new deployments of version 6.0.0 and higher, the administrator account is created as soar_local_admin.
  • On deployments which have upgraded from versions 5.5.0 or earlier:
    • The existing user account admin will be automatically renamed to soar_local_admin.
    • A copy of the existing user account admin will be created with the user name admin. This copy is for your convenience, and may be deleted.

Default users and types of users

On a new instance, the following default users are available:

  • Admin: This is the default admin account and cannot be disabled or deleted. The admin user is not counted towards the seat count of a seat-based license.
  • Automation: The automation user is not counted towards the seat count of a seat-based license.
  • onprem_integration: A special user account used by the Splunk SOAR Automation Broker. The onprem_integration user is not counted towards the seat count of a seat-based license.

An information card is shown for each user. For a local user the information card displays:

  • The user's full name
  • username
  • last access date and time
  • roles
  • an icon showing the user's initials or custom icon

For automation users, the information card displays a colored ribbon on the left side of the card indicating the user type.

The automation user is a default internal service account used by for running automated playbooks and asset actions, such as data ingestion. The automation user and any other users with the automation type do not have passwords and can't log into the web interface. However they do provide REST authentication tokens that can be used to read and write data to the REST API. For information on how to use the REST API and authentication tokens, see Using the REST API reference in the REST API Reference.

Customize what you see on the Users page

Customize the information you see on the Users page:

  • Click the drop-down list in the Show field to view more or fewer user cards at a time. By default, 24 user cards are shown.
  • Use the filter in the View by field to sort the users by first name, last name, username, last accessed, and last created.
  • Click on the ellipsis (...) icon in the upper-right corner of each user card for additional options, such as viewing the user's effective permissions, editing the user, or deleting the user.

Configure user permissions

All user permissions in are derived from the user's role. To grant permissions to a user, you assign a role with the desired permission. Only the default admin user can have special, hard-coded permissions outside of any roles.

Perform the following steps to view the permissions for a user:

  1. From the Home menu, select Administration.
  2. Select User Management > Users.
  3. Click on a user card and review the roles assigned to this user in the Roles field.

Users with multiple roles have the sum of all the permissions allowed by those roles.

See Manage roles and permissions in for more information about roles and the permissions provided by each role.

Add users to

You can add users to from the web interface. The user can be authenticated locally by , or by using SAML2. In the case of SAML2, the user account can be created in or created automatically during the user's initial login. In order for accounts to be automatically created, a group mapping to a role must be configured. See Configuring single sign-on authentication for .

Create a local user

Perform the following tasks to add a local user. The user is authenticated by the instance.

  1. From the Home menu, select Administration.
  2. Select User Management > Users.
  3. Click + User.
  4. Verify that the User type is set to Local.
  5. Enter a username in the Username field.
  6. Enter a password in the Password field.
  7. (Optional) Complete the other fields on the screen, such as first and last name, email address, title, time zone, and location. If two factor authentication is enabled, also provide the Duo username. See Secure using two factor authentication.
  8. Click Create.

Create a SAML2 user

Perform the following steps to add a user who is authenticated using single sign-on (SSO). Before you do this, make sure you have single sign-on enabled. See Configuring single sign-on authentication for .

  1. From the Home menu, select Administration.
  2. Select User Management > Users.
  3. Click + User.
  4. In the User type field, select the SSO provider. Only the configured and enabled SSO providers are available to choose from.
  5. Enter the username in the Username field.
  6. (Optional) Complete the other fields on the screen, such as time zone and roles. If two factor authentication is enabled, also provide the Duo username. See Secure using two factor authentication.
  7. Click Create.

Create an automation user in

Perform the following steps to add an automation user in :

  1. From the Home menu, select Administration.
  2. Select User Management > Users.
  3. Click + User.
  4. In the User type field, select Automation.
  5. Enter the username in the Username field.
  6. (Optional) In the Allowed IPs field, specify the IP addresses allowed to connect as this user. You can specify individual IP addresses, CIDR ranges, or any to allow all IP addresses.
  7. (Optional) Enter a default label for this user. Any containers that get created by this user use this label if another label is not specified.
  8. (Optional) If multi-tenancy is enabled, select the default tenant in the Default Tenant field.
  9. (Optional) The Automation role is provided to automation users by default. See Manage roles and permissions in for more information about the permissions granted by each role.
  10. Click Create.

Edit an automation user to view the REST API authorization token and associated assets

Click an existing automation user on the Users page to view the following information:

  • The REST API authorization token, which is used to authenticate the user for access to the REST API. See Using the REST API reference in the REST API Reference manual.
  • The assets associated with this user.
    • The automation user is used to test connectivity with the listed assets, and also for ingesting data. Use the automation user configuration to set the permissions of the asset when the asset is running on its own.
    • When the asset is not performing test connectivity or data ingestion, it is running with the permissions of the user performing the action. If the asset is being run from a playbook, the asset has the permissions of the playbook user.
    • You can assign assets to an automation user during asset configuration. If you assigned an automation user to an asset, the asset appears in the automation user's card. See Configure automation users for a asset.

Disable an existing user

Disable a user in to prevent that user from logging in or accessing the system. Disabling a user does not delete the user account.

To disable an existing user, perform the following steps:

  1. From the Home menu, select Administration.
  2. Select User Management > Users.
  3. Click the ellipsis (...) icon for the user you want to disable, and select Edit.
  4. Click the Disabled checkbox.
  5. Click Save.
Last modified on 26 October, 2023
Use authorized users to grant authorized access   Manage roles and permissions in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters