Hello,
I manage Splunk hybrid (cloud SH, on-premise DS, HF etc). I have task to create custom roles and R-B-A-C.
I have few questions and I would be thankful if you could help me clarify that:
1) Do the custom roles populate between Splunk instances? Example, if I create role at cloud SH, will it populate automatically to other cloud SH and on-premise DS? Or do I have to create manually roles and assign users everywhere?
2) Is there a set of Splunk best practices for roles creation?
3) What is the difference if I create roles at web GUI vs backend (at on-prem instances)? Is the final result the same?
Hi @Jack90,
answering to your questions:
1)
roles aren't distributed between Splunk servers and you have to manually populate them.
Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.
2)
I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.
3)
you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.
you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili...
Ciao.
Giuseppe
Hi @Jack90,
answering to your questions:
1)
roles aren't distributed between Splunk servers and you have to manually populate them.
Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.
2)
I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.
3)
you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.
you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili...
Ciao.
Giuseppe
Thank you so much for your answer.
Could you kindly please precise what do you mean by setting roles at indexers at Splunk Cloud?
Hi
some additions to @gcusello 's answer.
Usually you don't need any other roles / users on indexers than admins. And those usually only if/when there is need for CLI/REST api stuff. On Splunk Cloud you cannot have any roles/users on indexers.
In Splunk all access to data will given by users/roles which are defined on SH side not on IDX side!
When you want to use same roles (and actually always) you should use conf files in separate app, never use GUI for managing those. Even better if you can manage those users / role name as AD users and groups which are bind to splunk roles in separate app's auth*.conf files.
Here is conf prensetation for RBAC which is good to read before going forward https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=PLA1169B#/
r. Ismo