Authorized Users are enabled by default. Use this setting to toggle whether the Authorized section is visible in the Investigation screen's HUD.
The Authorized control for managing the Authorized Users appears in the Investigation screen if the authorized users are turned on. The control appears in the HUD, accessed by using the double-down chevron pull-down tab.
Access the HUD and Event Info by doing the following:
- Click the double-down chevron.
- Click the right arrow ( > ) next to Event Info.
The Authorized control is located in the People section.
This toggle is available for viewing and editing if your role has view and edit permissions for the system settings. See Manage roles and permissions in for more information about roles and permissions.
Disable authorized users by doing the following:
- From the Home menu, select Administration.
- Select Event Settings > Authorized Users.
- Click the Enable Authorized Users toggle to the Off position.
Once disabled, the Authorized section is no longer visible in Investigation. Reenabling the Authorized Users makes the Authorized section visible in Investigation and also reenables the authorized access that was previously configured.
Authorized access might not be available for every user in the system by default. Authorized access can only be granted to the subset of users who are already assigned to a label that has edit permissions on the container. For example, some teams only want to allow certain people to work on particular types of cases. Not every user assigned to a label needs access to a particular case.
Grant authorized access by doing the following in Investigation:
- Expand the Event Info collapsible section of a container.
- Click the edit icon in the Authorized section.
- From the Authorized Users drop-down list, select the names of the people who need access.
The Authorized section is visible if you have basic permissions for events with view selected. The Authorized Users drop-down list is editable if you have label permissions for events with view and edit selected.
Administrators always have access to all containers. Normally, you don't need to authorize them. However, if you want to restrict a container to administrators only, set Administrators in the Authorized Users list. Setting specific user names will enable the specific users and administrators.
Configure labels to apply to containers
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1