Security

Can you please suggest the right capabilities and inheritance that we should use to create/edit roles?

rjteh_splunk
Splunk Employee
Splunk Employee

We're trying to set up Role Based Access Controls for our security team who provisions roles and access. Can you please suggest the right capabilities and inheritance that we should use?

We had setup a test role with the following inheritance and capabilities.

Role Name: test
Inheritance role: user
Capabilities: edit_roles_grantable, edit_user

The complete list of capabilities for this test role is...

accelerate_search
change_own_password
edit_search_schedule_window
export_results_is_visible
get_metadata
get_typeahead
input_file
list_inputs
list_metrics_catalog
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
search

This role works fine when trying to create roles that inherit user level access, but when we try to create a new role that inherits power or sc_admin, it throws an error as given below:

> ERROR AdminHandler:AuthenticationHandler - current user doesn't have permissions to create new role with imported role
0 Karma

rjteh_splunk
Splunk Employee
Splunk Employee

The "edit_roles_grantable" capability will only allow the user to create/edit the role if they have listed the roles in "Inheritance" section on the custom role.

For example, if you want to create/edit a power role, the user must at least be assigned a custom role which inherits another custom role which has power capabilities or the power role itself (as shown below).

alt text

Once the user logs in and attempts to create a new role, they will be able to only select from the following list.

alt text

However, if you would like the user to be able to inherit from all available roles, you can add the "edit_roles" capability to achieve this. Documented here:

About defining roles with capabilities

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...