Security

Splunk add role

asarolkar
Builder

I want to create a user with more privileges (Capabilities) than a power role but less than an admin role.

If you go to Manager > Access roles > Roles, you can create a new role and configure it as you wish.

There are several ways to go about it from a sysadmin point of view.

  1. You first define a new role under Selected roles and call it admin_lite.

  2. Im unsure of the approach to take to configure this new role :

The first approach says I do not need the new role to inherit admin, power or user.

The second approach says I inherit power and NOT add any capabilities on top of that.

Is it necessary for us to define an inheritance when creating a new role ? Inheritance merely gives you a set of capabilities and you cannot add new capabilities outside of what is CUSTOM to the "power" or the "user" inheritance.

Q. What are the advantages to picking an inheritance / or just not picking one ? How would you set "inheritance" and "capabilities" ?

This is a best practices question. Because of the nature of this hybrid role, which we want to custom-define, we need to understand how inheritance/capabilities work.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

First, if you modify the "lower" role from which you inherit, your new role will inherit the changes automatically. This would not be the case if you create one from scratch. Second, inheriting a role inherits "allowed indexes" as well as the capabilities.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...