Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you please suggest the right capabilities and inheritance that we should use to create/edit roles?

rjteh_splunk
Splunk Employee
Splunk Employee
‎10-18-2018 04:51 PM

We're trying to set up Role Based Access Controls for our security team who provisions roles and access. Can you please suggest the right capabilities and inheritance that we should use?

We had setup a test role with the following inheritance and capabilities.

Role Name: test
Inheritance role: user
Capabilities: edit_roles_grantable, edit_user

The complete list of capabilities for this test role is...

accelerate_search
change_own_password
edit_search_schedule_window
export_results_is_visible
get_metadata
get_typeahead
input_file
list_inputs
list_metrics_catalog
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
search

This role works fine when trying to create roles that inherit user level access, but when we try to create a new role that inherits power or sc_admin, it throws an error as given below:

> ERROR AdminHandler:AuthenticationHandler - current user doesn't have permissions to create new role with imported role
0 Karma
Reply

rjteh_splunk
Splunk Employee
Splunk Employee
‎10-18-2018 05:12 PM

The "edit_roles_grantable" capability will only allow the user to create/edit the role if they have listed the roles in "Inheritance" section on the custom role.

For example, if you want to create/edit a power role, the user must at least be assigned a custom role which inherits another custom role which has power capabilities or the power role itself (as shown below).

alt text

Once the user logs in and attempts to create a new role, they will be able to only select from the following list.

alt text

However, if you would like the user to be able to inherit from all available roles, you can add the "edit_roles" capability to achieve this. Documented here:

About defining roles with capabilities

Preview file
1 KB
Preview file
1 KB
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...