Security

Enterprise Security ess_admin role vs admin role

gdigrego
Path Finder

Deployment: on premise, distributed
Splunk Platform version : 7.2.6
Enterprise Security version : 5.3.0

Hello,

We are trying to refine the roles to be granted to our SOC team based on a "least privileges" principle so they can use the ES features in an "autonomous" way.

To clarify this a bit:
- We use our Splunk infra for 3 main use cases: IT operations and monitoring, Applications operations and monitoring and Security monitoring
- We have two different Splunk teams: one Splunk admin team (which has the platform admin role granted) for managing and operating the Splunk platform part and a SOC team who use and customize "Enterprise Security" specifically
- In production, we have two SHs clusters: one for running the apps for the IT and App operations use cases and one dedicated to run the Enterprise Security app
- These two SHs clusters are connected to the same Indexers Cluster and they are configured to use the same SAML LDAP server for authentication
- We would like to avoid giving the Splunk platform Admin role/user to our SOC team members (to avoid them to be able to stop or restart the ES SHs nodes, etc) and only grant (to some of) them the ESS_Admin role so they can "create/modify/delete ES objects" like Correlation Searches, investigations, ... and use most important parts of the "Configure" menu of ES (Content Management, use case library, ...)

We checked the https://docs.splunk.com/Documentation/ES/latest/Install/ConfigureUsersRoles documentation but are a bit confused on this particular point.

Could somebody confirm ES supports the type of roles segregation we try to achieve and do not require to give the platorm admin role to our SOC team?

Thanks in advance for your help on this question.

Best Regards.

1 Solution

jawaharas
Motivator

You are right. Splunk doesn't recommend assigning 'ES Admin Role' to users who don't have 'admin' role.

You can modify the permissions in ESS app as per your requirement. ES > Configure > General > Permissions

ES Permissions

View solution in original post

gdigrego
Path Finder

Hello Jawaharas,

Thanks for you answer.

Could we "workaround" this by creating a custom "soc_team_admin" role inheriting from the ess_analyst one, adding the missing capabilities between ess_admin compared to ess_analyst without making that soc_team_admin role inheriting from platform admin role?

If this is an option, shall we do anything more like changing ES objects ownership etc?

Best Regards.

0 Karma

jawaharas
Motivator

You can do that - "creating a custom "soc_team_admin" role inheriting from the ess_analyst one, adding the missing capabilities between ess_admin compared to ess_analyst"

Further, I don't think any object ownership need to changed.

Note: Pls provide your comments using 'Add comment' link of corresponding answer rather than post as a new answer.

jawaharas
Motivator

@gdigrego

If my answer helped you, please accept and/or upvote it!

0 Karma

jawaharas
Motivator

You are right. Splunk doesn't recommend assigning 'ES Admin Role' to users who don't have 'admin' role.

You can modify the permissions in ESS app as per your requirement. ES > Configure > General > Permissions

ES Permissions

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...