Security

Creating new custom roles

Jack90
Explorer

Hello,

I manage Splunk hybrid (cloud SH, on-premise DS, HF etc). I have task to create custom roles and R-B-A-C.

I have few questions and I would be thankful if you could help me clarify that:

1) Do the custom roles populate between Splunk instances? Example, if I create role at cloud SH, will it populate automatically to other cloud SH and on-premise DS? Or do I have to create manually roles and assign users everywhere?

2) Is there a set of Splunk best practices for roles creation?

3) What is the difference if I create roles at web GUI vs backend (at on-prem instances)? Is the final result the same?

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Jack90,

answering to your questions:

1)

roles aren't distributed between Splunk servers and you have to manually populate them.

Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.

2)

I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.

3)

you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.

you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili... 

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Jack90,

answering to your questions:

1)

roles aren't distributed between Splunk servers and you have to manually populate them.

Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.

2)

I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.

3)

you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.

you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili... 

Ciao.

Giuseppe

Jack90
Explorer

Thank you so much for your answer.

Could you kindly please precise what do you mean by setting roles at indexers at Splunk Cloud?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

some additions to @gcusello 's answer.

Usually you don't need any other roles / users on indexers than admins. And those usually only if/when there is need for CLI/REST api stuff. On Splunk Cloud you cannot have any roles/users on indexers. 

In Splunk all access to data will given by users/roles which are defined on SH side not on IDX side!

When you want to use same roles (and actually always) you should use conf files in separate app, never use GUI for managing those. Even better if you can manage those users / role name as AD users and groups which are bind to splunk roles in separate app's auth*.conf files.

Here is conf prensetation for RBAC which is good to read before going forward https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=PLA1169B#/

r. Ismo

gcusello
SplunkTrust
SplunkTrust

Hi @Jack90,

sorry I didn't realize you were talking about Splunk Cloud!
Forget Indexers!

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...