Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Manage user accounts and account roles in Splunk UBA

Each user account is associated with a role in Splunk UBA. That role determines the user's level of access and privileges in the system.

The following types of user account roles are included in Splunk UBA:

  • Admin (uba_admin)
  • Analyst (uba_analyst)
  • Content_Developer (uba_content_developer)
  • PII_Unmask (uba_pii_unmask)
  • User (uba_user)

If you need additional roles, you can create custom roles or clone existing roles. See Create a custom role or Clone an existing role.

To view account roles, perform the following tasks:

  1. In Splunk UBA, select Manage > UBA Accounts.
  2. Select Account Roles
  3. Click on the ellipsis icon in the role to view the default privileges associated with each role.

The default privileges for each role have the following permissions:

UBA Role User PII_Unmask Content_Developer Analyst Admin
Anomalies View View View/Edit View View/Edit
Anomaly Rules View  . View/Edit View View/Edit
Assets View  . View View View/Edit
Audit Logs  .  .  .  . View
Cluster  .  .  .  . View/Edit
Cubes View View View/Edit View View
Data Sources View  . View/Edit View View/Edit
Deny/Allow Lists View  . View View View/Edit
Diagnostics  .  . View View View
Event Filters  .  .  .  . View/Edit
HR Data  .  .  .  . View/Edit
IDR Exclusions View View View View View/Edit
License View View View View View/Edit
Models View View View/Edit View  .
Output Connectors View  . View View View/Edit
PII Masking Settings (for defining global PII masking settings)  .  .  .  . View/Edit
PII Unmask (to unmask PII for users assigned to this role)  . View  .  . View
Service Apps  .  .  .  . View
Subscription Content View View View View View/Edit
System Settings  .  .  .  . View/Edit
Threat Rules View  . View/Edit View View/Edit
Threats View View View/Close View/Close View/Close
User Accounts  .  .  .  . View/Edit
Watchlists View View View/Edit View/Edit View/Edit

In order for a user to access PII Masking Settings, the user must also have access to System Settings.

Create a custom role

Create a custom role to grant or restrict specific privileges, in the event that the default UBA roles do not provide enough granularity for your needs. For example, you can create a custom admin with full admin privileges but restrict the ability to create or edit user accounts.

Complete the following steps to create a custom role:

  1. Select Manage > UBA Accounts.
  2. Click Account Roles.
  3. Select New Account Role.
  4. Specify a name for the role.
  5. In the remainder of the screen, select the desired privileges for each target area. All users associated with this role will have the specified privileges.
  6. Click OK to create the role.

To configure a Splunk platform user to log in to Splunk UBA using this role, you must configure the role with the exact name on the Splunk platform. You can consider starting all UBA roles with uba_ to match the default UBA roles uba_user, uba_analyst, and uba_admin. See Configure authentication for Splunk platform users.

When creating a new role in the Splunk platform, you must first select the uba_user role in the Inheritance section of the page. After the new role is created, it can be assigned to any user in the Splunk platform.

To configure a role for single sign-on (SSO) authentication, you must configure the role with the exact name as the group name in your SSO identity provider.

Clone an existing role

Complete the following steps to clone an existing role:

  1. Select Manage > UBA Accounts.
  2. Click Account Roles.
  3. Select the the clone icon icon in the role you want to clone.
  4. Change the name for the role as desired.
  5. In the remainder of the screen, select the desired privileges for each target area. All users associated with this role will have the specified privileges.
  6. Click OK to clone the role.

To configure a Splunk platform user to log in to Splunk UBA using this role, you must configure the role with the exact name on the Splunk platform. See Configure authentication for Splunk platform users.

When cloning a role in the Splunk platform, you must first select the uba_user role in the Inheritance section of the page. After the role is cloned, it can be assigned to any user in the Splunk platform.

Add a local user account

Complete the following steps to create a new local user account:

  1. Select Manage > UBA Accounts.
  2. Click New UBA Account.
  3. Enter a Username.
  4. Type a password and confirm the password.
  5. Select a Role for the account.
  6. Click the checkbox in Allow PII Unmasking if you want this user to be able to view PII.
    See Disable PII masking for specific users in Splunk UBA for more information.
  7. Click OK to create the account.
Last modified on 04 March, 2024
Where services run in Splunk UBA   Configure authentication for Splunk platform users

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters