Splunk Cloud Platform

Securing Splunk Cloud Platform

Manage Splunk user roles with LDAP

To configure the Splunk platform to use LDAP authentication, you must first create a Splunk strategy for each LDAP server and then map Splunk roles to the groups on the LDAP server. When a user attempts to log in, the Splunk platform queries the LDAP servers to find the user. It grants the user permissions based on the roles that the user holds, based on what you have mapped to corresponding LDAP groups.

The Splunk platform checks LDAP membership information when a user attempts to log in. You do not need to reload the authentication configuration when you add or remove users.

If you need to change the permissions that a user has, you have several options:

  • To change the permissions for a group of users, you can remap the LDAP group to a different Splunk role. You can also update the role itself to specify a different set of permissions or capabilities for it. You do this on the Splunk platform.
  • To change the permissions for an individual user, you can move the user to an LDAP group that you have mapped to a different Splunk role. You do this on the LDAP server.

Here are some example user management activities:

  • To assign a Splunk role to a user: First, in Splunk Web, confirm that you've mapped the Splunk role to an LDAP group. Then, on your LDAP server, add the user to that LDAP group.
  • To remove a Splunk role from a user: On your LDAP server, remove the user from the corresponding LDAP group.

A user can hold several roles. In that case, the user has access to all the capabilities that come with those roles. For example, if the user is a member of both the "docs" and "eng" LDAP groups, and "docs" is mapped to the "user" Splunk role while "eng" is mapped to "admin", the user obtains all permissions assigned to both the "user" or "admin" Splunk roles.

Last modified on 20 May, 2024
Set up user authentication with LDAP   LDAP prerequisites and considerations

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters