Security
Highlighted

How do roles inherit capabilities and properties?

New Member

After having read through some documentation and several discussions, I didn't find out, if roles are being inherited recursively, i.e.:

  • role2 imports role1
  • role3 imports role2
  • (role3 does not import role1 directly)
  1. Does role3 then have all the capabilities which were defined in role1?
  2. Does role3 then have all the properties (e.g. srchTimeWin) which were defined in role1 and not overwritten in role_2?

Thanks in advance for any help.

0 Karma
Highlighted

Re: How do roles inherit capabilities and properties?

New Member

Let me put a bit more precision into my question:

Givens / understanding:
Capabilities can only be disabled (= not granted; this is the default), or enabled (= granted). (They cannot be set to disabled, but they can only be left disabled by not enabling them.)
Properties can take numeric, or alphanumeric, values, e.g. srchJobsQuota=10, srchIndexesAllowed=main.

Scenario 1:
- role1 has capabilities cA=enabled, cB=enabled, cC=enabled, properties pA=100, pB=100, pC=100;
- role
2 has capabilities cC=enabled, cD=enabled, properties pB=200, pC=1, pD=100;
- role4 imports role1 and role_2.

Question Q1:
role4 then has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled, and
- properties pA=100, pB=200 (from role
2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

Is this correct?

Scenario 2:
- role1 has capabilities cA=enabled, cB=enabled, cC=enabled, properties pA=100, pB=100, pC=100;
- role
2 has capabilities cC=enabled, cD=enabled, properties pB=200, pC=1, pD=100;
- role2 imports role1;
- role3 imports role2;
- role3 does not import role1 explicitly;

Then, what is the outcome:

Question Q2.A -- with regards to capabilities:

Option A1:
role_3 has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled.

This would be identical to role3 importing both, role1 and role_2.
I.e.:
- capabilities are inherited recursively;

Option A2:
role_3 has
- capabilities cC=enabled, cD=enabled.

I.e.:
- capabilities are not inherited recursively;

Which option is correct?

Question Q2.B -- with regards to properties:

Option B1:
role3 has
- properties pA=100, pB=200 (from role
2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

This would be identical to role3 importing both, role1 and role_2.
I.e.:
- properties are inherited recursively, taking the highest value for a property defined in more than one role within the inheritance chain.

Option B2:
role3 has
- properties pA=100, pB=200 (from role
2, because role2 overwrites role1), pC=1 (from role2, because role2 overwrites role_1), pD=100.

I.e.:
- properties are inherited recursively, taking the value of the "youngest generation" of ancestor roles for a property defined in more than one role within the inheritance chain.

Option B3:
role3 has
- properties pB=200 (from role
2), pC=1 (from role_2), pD=100.

I.e.:
- properties are not inherited recursively.

Option B4:
role_3 has
- no properties set.

I.e.:
- properties are not inherited (at all).

Which one is correct?

Thanks a lot in advance for helping clarify this.

0 Karma
Highlighted

Re: How do roles inherit capabilities and properties?

Splunk Employee
Splunk Employee

The basic concept of inherited roles is that we can define a "basic user role" which give users access to the minimum capabilities and properties values needed to use Splunk. Additional roles can be then created that can ADD additional capabilities or INCREASE property values.

I believe there are three rules to consider
- role inheritance is cumulative (ie if role2 inherits from role1, and role3 inherits from role2 only, role2 inherits ALL the capabilities from role2 AND role1.
- if a capability has been granted in a role (say role
1), it cannot be revoked by any subsequent role that inherits role1
- if a property value has been set in a role (say role
1), it can only be INCREASED by any subsequent role that inherits role_1. It cannot be DECREASED

So if we treat any capability as a binary (true / granted = 1 , false / denied = 0) then our basic logic is that the highest value for a capability or property wins, regardless of if that value is set in the current role or the inherited role.

So to finally answer your questions: 🙂

Scenario 1:
role4 then has
capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled, and
properties pA=100, pB=200 (from role
2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

Scenario 2A:
role3 has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled.
This would be identical to role
3 importing both, role1 and role2.
I.e.:
- capabilities are inherited recursively;

Scenario 2B:
role3 has
- properties pA=100, pB=200 (from role
2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

This would be identical to role3 importing both, role1 and role_2.
I.e.:
- properties are inherited recursively, taking the highest value for a property defined in more than one role within the inheritance chain.

View solution in original post

0 Karma