Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating new custom roles

Jack90
Explorer
‎11-22-2023 05:01 AM

Hello,

I manage Splunk hybrid (cloud SH, on-premise DS, HF etc). I have task to create custom roles and R-B-A-C.

I have few questions and I would be thankful if you could help me clarify that:

1) Do the custom roles populate between Splunk instances? Example, if I create role at cloud SH, will it populate automatically to other cloud SH and on-premise DS? Or do I have to create manually roles and assign users everywhere?

2) Is there a set of Splunk best practices for roles creation?

3) What is the difference if I create roles at web GUI vs backend (at on-prem instances)? Is the final result the same?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-22-2023 06:02 AM

Hi @Jack90,

answering to your questions:

1)

roles aren't distributed between Splunk servers and you have to manually populate them.

Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.

2)

I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.

3)

you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.

you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili... 

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-22-2023 06:02 AM

Hi @Jack90,

answering to your questions:

1)

roles aren't distributed between Splunk servers and you have to manually populate them.

Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.

2)

I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.

3)

you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.

you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili... 

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Jack90
Explorer
‎11-22-2023 07:27 AM

Thank you so much for your answer.

Could you kindly please precise what do you mean by setting roles at indexers at Splunk Cloud?

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-24-2023 06:23 AM

Hi

some additions to @gcusello 's answer.

Usually you don't need any other roles / users on indexers than admins. And those usually only if/when there is need for CLI/REST api stuff. On Splunk Cloud you cannot have any roles/users on indexers. 

In Splunk all access to data will given by users/roles which are defined on SH side not on IDX side!

When you want to use same roles (and actually always) you should use conf files in separate app, never use GUI for managing those. Even better if you can manage those users / role name as AD users and groups which are bind to splunk roles in separate app's auth*.conf files.

Here is conf prensetation for RBAC which is good to read before going forward https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=PLA1169B#/

r. Ismo

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-22-2023 08:09 AM

Hi @Jack90,

sorry I didn't realize you were talking about Splunk Cloud!
Forget Indexers!

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...