Security

Creating new custom roles

Jack90
Explorer

Hello,

I manage Splunk hybrid (cloud SH, on-premise DS, HF etc). I have task to create custom roles and R-B-A-C.

I have few questions and I would be thankful if you could help me clarify that:

1) Do the custom roles populate between Splunk instances? Example, if I create role at cloud SH, will it populate automatically to other cloud SH and on-premise DS? Or do I have to create manually roles and assign users everywhere?

2) Is there a set of Splunk best practices for roles creation?

3) What is the difference if I create roles at web GUI vs backend (at on-prem instances)? Is the final result the same?

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Jack90,

answering to your questions:

1)

roles aren't distributed between Splunk servers and you have to manually populate them.

Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.

2)

I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.

3)

you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.

you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili... 

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Jack90,

answering to your questions:

1)

roles aren't distributed between Splunk servers and you have to manually populate them.

Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers.

2)

I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want.

3)

you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors.

you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibili... 

Ciao.

Giuseppe

Jack90
Explorer

Thank you so much for your answer.

Could you kindly please precise what do you mean by setting roles at indexers at Splunk Cloud?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

some additions to @gcusello 's answer.

Usually you don't need any other roles / users on indexers than admins. And those usually only if/when there is need for CLI/REST api stuff. On Splunk Cloud you cannot have any roles/users on indexers. 

In Splunk all access to data will given by users/roles which are defined on SH side not on IDX side!

When you want to use same roles (and actually always) you should use conf files in separate app, never use GUI for managing those. Even better if you can manage those users / role name as AD users and groups which are bind to splunk roles in separate app's auth*.conf files.

Here is conf prensetation for RBAC which is good to read before going forward https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=PLA1169B#/

r. Ismo

gcusello
SplunkTrust
SplunkTrust

Hi @Jack90,

sorry I didn't realize you were talking about Splunk Cloud!
Forget Indexers!

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...