Are there any limitations to using Splunk Apps and roles for access management?

Path Finder


I'm a Splunk Cloud admin who has the following challenge: I want to segregate the access of multiple teams within the company so they can only R/W the reports, alerts, and dashboards that are owned by such teams. My idea is to create an app for each team. Let's use this team structure for example:

  • SOC Team
  • AppSec Team
  • R&D Team


First, I would create the following roles:

  • SOC
  • AppSec
  • R&D

Second, I would create the following apps and attach the roles like this:

  • SOC (SOC Role has R/W access, others have NO access)
  • AppSec (AppSec Role has R/W access, others have READ only)
  • R&D Role (R&D Role has R/W access, others have READ only)


With this implemented, each team will be able to creates alerts/dashboards/etc with the permission "shared in app" and this won't affect the other teams.


Is there any issue/limitation with this approach? I did not spot any issue.

Labels (2)
0 Karma


That approach seems fine.  Remember that you are only controlling access to the knowledge objects (KOs) in those apps.  Any data used by those KOs may still be accessible to other roles.

If this reply helps you, Karma would be appreciated.
0 Karma

Path Finder

Oh yes, I know the indexes will continue to be seen by everyone by default. The is a whole different issue which is way harder to deal with xD

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...