Deployment: on premise, distributed
Splunk Platform version : 7.2.6
Enterprise Security version : 5.3.0
We are trying to refine the roles to be granted to our SOC team based on a "least privileges" principle so they can use the ES features in an "autonomous" way.
To clarify this a bit:
- We use our Splunk infra for 3 main use cases: IT operations and monitoring, Applications operations and monitoring and Security monitoring
- We have two different Splunk teams: one Splunk admin team (which has the platform admin role granted) for managing and operating the Splunk platform part and a SOC team who use and customize "Enterprise Security" specifically
- In production, we have two SHs clusters: one for running the apps for the IT and App operations use cases and one dedicated to run the Enterprise Security app
- These two SHs clusters are connected to the same Indexers Cluster and they are configured to use the same SAML LDAP server for authentication
- We would like to avoid giving the Splunk platform Admin role/user to our SOC team members (to avoid them to be able to stop or restart the ES SHs nodes, etc) and only grant (to some of) them the ESS_Admin role so they can "create/modify/delete ES objects" like Correlation Searches, investigations, ... and use most important parts of the "Configure" menu of ES (Content Management, use case library, ...)
We checked the https://docs.splunk.com/Documentation/ES/latest/Install/ConfigureUsersRoles documentation but are a bit confused on this particular point.
Could somebody confirm ES supports the type of roles segregation we try to achieve and do not require to give the platorm admin role to our SOC team?
Thanks in advance for your help on this question.
Thanks for you answer.
Could we "workaround" this by creating a custom "soc_team_admin" role inheriting from the ess_analyst one, adding the missing capabilities between ess_admin compared to ess_analyst without making that soc_team_admin role inheriting from platform admin role?
If this is an option, shall we do anything more like changing ES objects ownership etc?
You can do that - "creating a custom "soc_team_admin" role inheriting from the ess_analyst one, adding the missing capabilities between ess_admin compared to ess_analyst"
Further, I don't think any object ownership need to changed.
Note: Pls provide your comments using 'Add comment' link of corresponding answer rather than post as a new answer.