Manage ACS API access with capabilities
You can manage access to Admin Config Service (ACS) API endpoints using the role-based access controls of Splunk Cloud Platform. To run a specific ACS operation against an ACS endpoint, a user's assigned role must contain the capabilities required to access the endpoint.
For example, to run a POST operation against the indexes
endpoint to create a new index, your role must have the indexes_edit
capability.
Any user whose role contains the required capabilities can run operations against ACS API endpoints, not just the sc_admin
(Splunk Cloud Platform Admin) role.
For instructions on how to create roles and assign capabilities, see Create and manage roles with Splunk Web..
For more information on role-based access controls in Splunk Cloud Platform, see Define roles on the Splunk platform with capabilities.
Required ACS capabilities
The following table lists the capabilities required to run ACS operations against each ACS endpoint. The sc_admin
role has the required capabilities to run operations against most ACS endpoints by default. See table entry for exceptions.
ACS feature | ACS operation | HTTP Method | ACS endpoint | Required capability |
---|---|---|---|---|
Manage apps | List apps | GET | apps | None |
Install app (Classic) | POST | apps | dmc_deploy_apps | |
Describe app (Classic) | GET | apps/{app} | None | |
Uninstall app (Classic) | DELETE | apps/{app} | dmc_deploy_apps | |
List apps (Victoria) | GET | apps/victoria | None | |
Install app (Victoria) | POST | apps/victoria | edit_local_apps AND install_apps | |
Upgrade app (Victoria) | PATCH | apps/victoria/{app} | edit_local_apps AND install_apps | |
Describe app (Victoria) | GET | apps/victoria/{app} | None | |
Uninstall app (Victoria) | DELETE | apps/victoria/{app} | edit_local_apps AND install_apps | |
Export apps (Victoria) | GET | app/victoria/export/download/{app_id} | export_apps (sc_admin does not have this capability by default) | |
Manage app permissions | List app permissions (Victoria) | GET | permissions/apps | None |
Describe app (Victoria) | GET | permissions/apps/{app-name} | None | |
Configure app permissions (Victoria) | PATCH | permissions/apps/{app-name} | edit_local_apps AND install_apps | |
Manage indexes | Create index | POST | indexes | indexes_edit AND search |
List indexes | GET | indexes | indexes_edit AND search | |
View individual index | GET | indexes/{name} | indexes_edit AND search | |
Update index | PATCH | indexes/{name} | indexes_edit AND search | |
Delete index | DELETE | indexes/{name} | indexes_edit AND search | |
Manage HEC tokens | List HEC tokens (Victoria) | GET | inputs/http-event-collectors | list_token_http OR edit_token_http |
Create HEC token (Victoria) | POST | inputs/http-event-collectors | edit_token_http AND indexes_edit AND search | |
Describe HEC token (Victoria) | GET | inputs/http-event-collectors/{hec} | list_token_http OR edit_token_http | |
Update HEC token (Victoria) | PUT | inputs/http-event-collectors/{hec} | edit_token_http AND indexes_edit AND search | |
Delete HEC token (Victoria) | DELETE | inputs/http-event-collectors/{hec} | edit_token_http | |
List HEC tokens (Classic) | GET | inputs/http-event-collectors | dmc_deploy_apps AND dmc_deploy_token_http | |
Create HEC token (Classic) | POST | inputs/http-event-collectors | dmc_deploy_apps AND dmc_deploy_token_http AND indexes_edit | |
Describe HEC token (Classic) | GET | inputs/http-event-collectors/{hec} | dmc_deploy_apps AND dmc_deploy_token_http | |
Update HEC token (Classic) | PUT | inputs/http-event-collectors/{hec} | dmc_deploy_apps AND dmc_deploy_token_http AND indexes_edit | |
Delete HEC token (Classic) | DELETE | inputs/http-event-collectors/{hec} | dmc_deploy_apps AND dmc_deploy_token_http | |
Manage limits.conf configs | List limits.conf settings | GET | limits | acs_conf AND admin_all_objects |
List limits.conf settings in a stanza | GET | limits/{stanza} | acs_conf AND admin_all_objects | |
Edit limits.conf settings | POST | limits/{stanza} | acs_conf AND admin_all_objects | |
Get a limits.conf setting | GET | limits/{stanza}/{setting} | acs_conf AND admin_all_objects | |
Reset limits.conf settings | POST | limits/{stanza}/reset | acs_conf AND admin_all_objects | |
Manage auth tokens | View existing tokens | GET | tokens | edit_tokens_all OR list_tokens_all |
Create token | POST | tokens | edit_tokens_all AND edit_tokens_settings | |
View individual token | GET | tokens/{tokenID} | edit_tokens_all OR list_tokens_all | |
Delete token | DELETE | tokens/{tokenID} | edit_tokens_all OR edit_tokens_settings | |
Configure IP allow lists | List subnets on allow list | GET | access/{feature}/ipallowlists | acs_list_ip_allow_list |
Add subnets to allow list | POST | access/{feature}/ipallowlists | edit_ip_allow_list | |
Delete subnets | DELETE | access/{feature}/ipallowlists | edit_ip_allow_list | |
Delete individual subnet | DELETE | access/{feature}/ipallowlists/{subnet} | edit_ip_allow_list | |
Configure outbound ports | List outbound ports | GET | access/outbound-ports | acs_list_outbound_ports |
Create outbound port | POST | access/outbound-ports | acs_edit_outbound_ports | |
Describe outbound port | GET | access/outbound-ports/{port} | acs_list_outbound_ports | |
Delete outbound port | DELETE | access/outbound-ports/{port} | acs_edit_outbound_ports | |
View maintenance windows | List maintenance window schedules | GET | maintenance-windows/schedules | acs_list_maintenance_windows |
Describe maintenance window schedule | GET | maintenance-windows/schedules/{scheduleID} | acs_list_maintenance_windows | |
Configure private connectivity | Validate private connectivity | GET | private-connectivity/eligibility | acs_list_private_connectivity |
Describe private connectivity | GET | private-connectivity/endpoints | acs_list_private_connectivity | |
Enable private connectivity | POST | private-connectivity/endpoints | acs_edit_private_connectivity | |
Update private connectivity | PATCH | private-connectivity/endpoints | acs_edit_private_connectivity | |
Manage restarts | Initiate search head restart (Victoria) | POST | restart-now | restart_splunkd (non-clustered SH) OR edit_search_head_clustering (SHC) |
Initiate search head restart (Classic) | POST | restart-now | restart_splunkd (for both non-clustered SH and SHC) | |
Check restart status (SHC only) (Victoria and Classic) | GET | restart/status | list_search_head_clustering |
Target a specific search head for ACS operations | Configure IP allow lists for Splunk Cloud Platform |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!