| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Add and edit users
- Add and edit roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts on Splunk Enterprise
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP using configuration files
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Best practices for using SAML as an authentication scheme for single-sign on
- Troubleshoot SAML SSO
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- Splunk Add-on for MS office 365: Reporting Web Ser...
- Can I get an overview of how Splunk permissions wo...
- Configure Splunk Add on for AWS, 'Description (Met...
- Will I still be able to forward data into the inst...
- Some pages not working after working on "Access Co...
- New "role" cannot be added to any users due to "is...
- How can I send Splunk visualization to Slack?
- Is the Free license for home lab available?
- Splunk for Enterprise Security: Is it possible to ...
- Licencing Alert - Daily indexing volume limit exce...
Add and edit roles with Splunk Web
When you create users, you can assign roles that determine the level of access that users have to the Splunk platform and the tasks that they can perform. The platform comes with a set of default roles that you can use. You can also create your own custom roles.
Roles contain one or more capabilities that provide access to specific parts of the Splunk platform. A user that has a role assigned to them receives all of the capabilities that are associated with the role. Roles can inherit capabilities from other roles, and you can manage that inheritance in Splunk Web.
While you can have any role inherit from any other role, custom roles that inherit from the admin or power users roles do not automatically inherit administrator-level access to the instance.
- For information about roles and how capabilities and permissions are inherited, see About configuring role-based user access.
- For information about granting management access to custom roles, see Add access controls to custom roles.
- For more information about role inheritance, see Role inheritance in the About role-based user access topic.
- For more information about how capabilities work, as well as the full list of capabilities, see About defining roles with capabilities.
Add or edit a role
Create or edit roles for your Splunk platform instance on the Roles page in Settings.
- Click Settings > Access Controls.
- On the Access controls page, click Roles.
- Click New to create a new role, or click an existing role to edit it.
- Enter a name for your role.
Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
- (Optional) In the Default app dropdown in the Resources tab, select the default Splunk app that appears when a user that holds this role logs in.
- (Optional) In the Restrict search terms field in the Resources tab, you can restrict the scope of the searches that users with the role can run. You can restrict the search terms they can use, set limits on search time, and set both user-level and role-level concurrent search limits.
Search term restrictions offer limited security. A user can override some search term restrictions if they create a calculated field that references a field name listed here as a restricted term.
- (Optional) In the Inheritance tab, identify other roles from which your role can inherit properties and capabilities. A user assigned to multiple roles inherits properties from the role with the broadest permissions.
- Click Inheritance to display the contents of the Inheritance tab.
- (Optional) In the Role Name field, type in a string to display role names that contain the string.
- Click the checkbox next to the roles from which you want this role to inherit permissions.
- Click Save.
- (Optional) In the Capabilities tab, choose any individual capabilities that you want to provide to this role.
- Click Capabilities to display the contents of the Capabilities tab.
- (Optional) In the Capability Name field, type in a string to display capability names that contain the string.
- Click the checkbox next to the capabilities that you want to assign to this role.
- Click Save.
Capabilities that have been inherited from other roles appear as grayed out and selected. You cannot deselect capabilities that come with inherited roles. You must save the role before you can see its inherited capabilities.
- (Optional) Use the Indexes tab to choose the indexes that the role can search, and which ones it should search by default. You can specify both event and metric indexes. If a user with the role runs a metrics search without a specified index, the search includes results from the default metrics indexes that you assign to the role.
- Click Indexes to display the contents of the Indexes tab.
- (Optional) In the Index Name field, type in a string to display index names that begin with that string.
- Click the Included checkbox for an index to allow searches and include search results from that index for this role.
- Click the Default and Included checkboxes for an index to include search results from that index when a user that holds this role does not specify an index in their search.
Indexes from inherited roles appear as grayed out and selected. You cannot deselect indexes that come with inherited roles.
- Click Save.
- Click Save.
Updates to the search term restrictions for a role do not take effect until you restart your Splunk platform instance. If you do not restart, the instance cannot enforce your search term restriction updates.
For more information about restarting the Splunk platform, see Start and stop Splunk Enterprise in the Admin Manual.
Search filter format
The Restrict search terms field can include any of the following search terms:
source::host::index::sourcetype::eventtype=oreventtype::- Search fields
When you specify search term restrictions, use the key::value syntax, when possible, to restrict search terms to indexed fields. Normal field values can be overwritten with user knowledge objects. The key::value syntax only applies to indexed fields.
You can use wildcards. Use OR to allow multiple terms, or AND to make the filter more restrictive.
The search terms cannot include any of the following:
- Saved searches
- Time operators
- Regular expressions
- Any fields or modifiers that you can override from the Splunk Web search bar
Special syntax rules for search filters of metric data
Search filters that limit user access to metric data do not follow the same rules as search filters for event data.
Search filters for metric data must use the key=value comparison syntax. Metrics search cannot utilize the key::value syntax.
Search filters for metric data can filter dimensions and metric names. For example, you can set up search filters for dimensions like os=linux or server=athens and metric names like metric_name=mem.free.
| Add and edit users | Add and edit roles with authorize.conf |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Comments
Download manual
Add and edit roles with Splunk Web
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!