Manage user accounts and account roles in Splunk UBA
Each user account is associated with a role in Splunk UBA. That role determines the user's level of access and privileges in the system.
The following types of user account roles are included in Splunk UBA:
- Admin (
uba_admin
) - Analyst (
uba_analyst
) - Content_Developer (
uba_content_developer
) - PII_Unmask (
uba_pii_unmask
) - User (
uba_user
)
If you need additional roles, you can create custom roles or clone existing roles. See Create a custom role or Clone an existing role.
To view account roles, perform the following tasks:
- In Splunk UBA, select Manage > UBA Accounts.
- Select Account Roles
- Click on the ellipsis icon in the role to view the default privileges associated with each role.
The default privileges for each role have the following permissions:
UBA Role | User | PII_Unmask | Content_Developer | Analyst | Admin |
---|---|---|---|---|---|
Anomalies | View | View | View/Edit | View | View/Edit |
Anomaly Rules | View | . | View/Edit | View | View/Edit |
Assets | View | . | View | View | View/Edit |
Audit Logs | . | . | . | . | View |
Cluster | . | . | . | . | View/Edit |
Cubes | View | View | View/Edit | View | View |
Data Sources | View | . | View/Edit | View | View/Edit |
Deny/Allow Lists | View | . | View | View | View/Edit |
Diagnostics | . | . | View | View | View |
Event Filters | . | . | . | . | View/Edit |
HR Data | . | . | . | . | View/Edit |
IDR Exclusions | View | View | View | View | View/Edit |
License | View | View | View | View | View/Edit |
Models | View | View | View/Edit | View | . |
Output Connectors | View | . | View | View | View/Edit |
PII Masking Settings (for defining global PII masking settings) | . | . | . | . | View/Edit |
PII Unmask (to unmask PII for users assigned to this role) | . | View | . | . | View |
Service Apps | . | . | . | . | View |
Subscription Content | View | View | View | View | View/Edit |
System Settings | . | . | . | . | View/Edit |
Threat Rules | View | . | View/Edit | View | View/Edit |
Threats | View | View | View/Close | View/Close | View/Close |
User Accounts | . | . | . | . | View/Edit |
Watchlists | View | View | View/Edit | View/Edit | View/Edit |
In order for a user to access PII Masking Settings, the user must also have access to System Settings.
Create a custom role
Create a custom role to grant or restrict specific privileges, in the event that the default UBA roles do not provide enough granularity for your needs. For example, you can create a custom admin with full admin privileges but restrict the ability to create or edit user accounts.
Complete the following steps to create a custom role:
- Select Manage > UBA Accounts.
- Click Account Roles.
- Select New Account Role.
- Specify a name for the role.
- In the remainder of the screen, select the desired privileges for each target area. All users associated with this role will have the specified privileges.
- Click OK to create the role.
To configure a Splunk platform user to log in to Splunk UBA using this role, you must configure the role with the exact name on the Splunk platform. You can consider starting all UBA roles with uba_
to match the default UBA roles uba_user
, uba_analyst
, and uba_admin
. See Configure authentication for Splunk platform users.
When creating a new role in the Splunk platform, you must first select the uba_user
role in the Inheritance section of the page. After the new role is created, it can be assigned to any user in the Splunk platform.
To configure a role for single sign-on (SSO) authentication, you must configure the role with the exact name as the group name in your SSO identity provider.
Clone an existing role
Complete the following steps to clone an existing role:
- Select Manage > UBA Accounts.
- Click Account Roles.
- Select the icon in the role you want to clone.
- Change the name for the role as desired.
- In the remainder of the screen, select the desired privileges for each target area. All users associated with this role will have the specified privileges.
- Click OK to clone the role.
To configure a Splunk platform user to log in to Splunk UBA using this role, you must configure the role with the exact name on the Splunk platform. See Configure authentication for Splunk platform users.
When cloning a role in the Splunk platform, you must first select the uba_user
role in the Inheritance section of the page. After the role is cloned, it can be assigned to any user in the Splunk platform.
Add a local user account
Complete the following steps to create a new local user account:
- Select Manage > UBA Accounts.
- Click New UBA Account.
- Enter a Username.
- Type a password and confirm the password.
- Select a Role for the account.
- Click the checkbox in Allow PII Unmasking if you want this user to be able to view PII.
See Disable PII masking for specific users in Splunk UBA for more information. - Click OK to create the account.
Where services run in Splunk UBA | Configure authentication for Splunk platform users |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!