Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage user accounts and account roles in Splunk UBA

Add user accounts to Splunk User Behavior Analytics.

Understand account roles

Each user account is associated with a role in Splunk UBA that defines the user's level of access and privileges in the system.

The following types of user account roles exist in Splunk UBA:

  • Admin (uba_admin)
  • Analyst (uba_analyst)
  • Content_Developer (uba_content_developer)
  • PII_Unmask (uba_pii_unmask)
  • User (uba_user)

To add additional roles, you can create custom roles or clone existing roles. See Create a custom role or Clone an existing role.

To view account roles, perform the following tasks:

  1. In Splunk UBA, select Manage > UBA Accounts.
  2. Select Account Roles
  3. Click on the elipsis icon in the role to view the default privileges associated with each role.

The default privileges for each role have the following permissions:

UBA Role User PII_Unmask Content_Developer Analyst Admin
Anomalies View View View View View/Edit
Anomaly Rules View View View View/Edit
Assets View View View View/Edit
Audit Logs View
Black/White Lists View View View View/Edit
Cluster View/Edit
Cubes View View View/Edit View View
Data Sources View View View View/Edit
Diagnostics View View View
Event Filters View/Edit
HR Data View/Edit
IDR Exclusions View View View View View/Edit
License View View View View View/Edit
Models View View View/Edit View
Output Connectors View View View View/Edit
PII Masking Settings (for defining global PII masking settings) View/Edit
PII Unmask (to unmask PII for users assigned to this role) View View
Service Apps View
Subscription Content View View View View View/Edit
System Settings View/Edit
Threat Rules View View View View/Edit
Threats View View View/Edit View/Close View/Close
User Accounts View/Edit
Watchlists View View View/Edit View/Edit View/Edit

In order for a user to have access to PII Masking Settings, the user must also have access to System Settings.

Create a custom role

Create a custom role to grant or restrict specific privileges, in the event that the default UBA roles do not provide enough granularity for your needs. For example, you can create a custom admin with full admin privileges but restrict the ability to create or edit user accounts.

To create a custom role:

  1. Select Manage > UBA Accounts.
  2. Click Account Roles.
  3. Select New Account Role.
  4. Specify a name for the role.
  5. In the remainder of the screen, select the desired privileges for each target area. All users associated with this role will have the specified privileges.
  6. Click OK to create the role.

To configure a Splunk platform user to log in to Splunk UBA using this role, you must configure the role with the exact name on the Splunk platform. It is a good idea to begin all UBA roles with uba_ to match the default UBA roles uba_user, uba_analyst, and uba_admin. See Configure authentication for Splunk platform users.

When creating a new role in the Splunk platform, you must first select the uba_user role in the Inheritance section of the page. After the new role is created, it can be assigned to any user in the Splunk platform.

To configure a role for single sign-on (SSO) authentication, you must configure the role with the exact name as the group name in your SSO identity provider.

Clone an existing role

To clone an existing role:

  1. Select Manage > UBA Accounts.
  2. Click Account Roles.
  3. Select the the clone icon icon in the role you want to clone.
  4. Change the name for the role as desired.
  5. In the remainder of the screen, select the desired privileges for each target area. All users associated with this role will have the specified privileges.
  6. Click OK to clone the role.

To configure a Splunk platform user to log in to Splunk UBA using this role, you must configure the role with the exact name on the Splunk platform. See Configure authentication for Splunk platform users.

When cloning a role in the Splunk platform, you must first select the uba_user role in the Inheritance section of the page. After the role is cloned, it can be assigned to any user in the Splunk platform.

Add a local user account

To create a new local user account:

  1. Select Manage > UBA Accounts.
  2. Click New UBA Account.
  3. Enter a Username.
  4. Type a password and confirm the password.
  5. Select a Role for the account.
  6. Click the checkbox in Allow PII Unmasking if you want this user to be able to view PII.
    See Disable PII masking for specific users in Splunk UBA for more information.
  7. Click OK to create the account.
Last modified on 12 August, 2019
PREVIOUS
Where services run in Splunk UBA
  NEXT
Configure authentication for Splunk platform users

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters