Security

How do roles inherit capabilities and properties?

adckia
New Member

After having read through some documentation and several discussions, I didn't find out, if roles are being inherited recursively, i.e.:

  • role_2 imports role_1
  • role_3 imports role_2
  • (role_3 does not import role_1 directly)
  1. Does role_3 then have all the capabilities which were defined in role_1?
  2. Does role_3 then have all the properties (e.g. srchTimeWin) which were defined in role_1 and not overwritten in role_2?

Thanks in advance for any help.

0 Karma
1 Solution

dshakespeare_sp
Splunk Employee
Splunk Employee

The basic concept of inherited roles is that we can define a "basic user role" which give users access to the minimum capabilities and properties values needed to use Splunk. Additional roles can be then created that can ADD additional capabilities or INCREASE property values.

I believe there are three rules to consider
- role inheritance is cumulative (ie if role_2 inherits from role_1, and role_3 inherits from role_2 only, role_2 inherits ALL the capabilities from role_2 AND role_1.
- if a capability has been granted in a role (say role_1), it cannot be revoked by any subsequent role that inherits role_1
- if a property value has been set in a role (say role_1), it can only be INCREASED by any subsequent role that inherits role_1. It cannot be DECREASED

So if we treat any capability as a binary (true / granted = 1 , false / denied = 0) then our basic logic is that the highest value for a capability or property wins, regardless of if that value is set in the current role or the inherited role.

So to finally answer your questions: 🙂

Scenario 1:
role_4 then has
capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled, and
properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

Scenario 2A:
role_3 has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled.
This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- capabilities are inherited recursively;

Scenario 2B:
role_3 has
- properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- properties are inherited recursively, taking the highest value for a property defined in more than one role within the inheritance chain.

View solution in original post

dshakespeare_sp
Splunk Employee
Splunk Employee

The basic concept of inherited roles is that we can define a "basic user role" which give users access to the minimum capabilities and properties values needed to use Splunk. Additional roles can be then created that can ADD additional capabilities or INCREASE property values.

I believe there are three rules to consider
- role inheritance is cumulative (ie if role_2 inherits from role_1, and role_3 inherits from role_2 only, role_2 inherits ALL the capabilities from role_2 AND role_1.
- if a capability has been granted in a role (say role_1), it cannot be revoked by any subsequent role that inherits role_1
- if a property value has been set in a role (say role_1), it can only be INCREASED by any subsequent role that inherits role_1. It cannot be DECREASED

So if we treat any capability as a binary (true / granted = 1 , false / denied = 0) then our basic logic is that the highest value for a capability or property wins, regardless of if that value is set in the current role or the inherited role.

So to finally answer your questions: 🙂

Scenario 1:
role_4 then has
capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled, and
properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

Scenario 2A:
role_3 has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled.
This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- capabilities are inherited recursively;

Scenario 2B:
role_3 has
- properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- properties are inherited recursively, taking the highest value for a property defined in more than one role within the inheritance chain.

adckia
New Member

Let me put a bit more precision into my question:

Givens / understanding:
Capabilities can only be disabled (= not granted; this is the default), or enabled (= granted). (They cannot be set to disabled, but they can only be left disabled by not enabling them.)
Properties can take numeric, or alphanumeric, values, e.g. srchJobsQuota=10, srchIndexesAllowed=main.

Scenario 1:
- role_1 has capabilities cA=enabled, cB=enabled, cC=enabled, properties pA=100, pB=100, pC=100;
- role_2 has capabilities cC=enabled, cD=enabled, properties pB=200, pC=1, pD=100;
- role_4 imports role_1 and role_2.

Question Q1:
role_4 then has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled, and
- properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

Is this correct?

Scenario 2:
- role_1 has capabilities cA=enabled, cB=enabled, cC=enabled, properties pA=100, pB=100, pC=100;
- role_2 has capabilities cC=enabled, cD=enabled, properties pB=200, pC=1, pD=100;
- role_2 imports role_1;
- role_3 imports role_2;
- role_3 does not import role_1 explicitly;

Then, what is the outcome:

Question Q2.A -- with regards to capabilities:

Option A1:
role_3 has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled.

This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- capabilities are inherited recursively;

Option A2:
role_3 has
- capabilities cC=enabled, cD=enabled.

I.e.:
- capabilities are not inherited recursively;

Which option is correct?

Question Q2.B -- with regards to properties:

Option B1:
role_3 has
- properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.

This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- properties are inherited recursively, taking the highest value for a property defined in more than one role within the inheritance chain.

Option B2:
role_3 has
- properties pA=100, pB=200 (from role_2, because role_2 overwrites role_1), pC=1 (from role_2, because role_2 overwrites role_1), pD=100.

I.e.:
- properties are inherited recursively, taking the value of the "youngest generation" of ancestor roles for a property defined in more than one role within the inheritance chain.

Option B3:
role_3 has
- properties pB=200 (from role_2), pC=1 (from role_2), pD=100.

I.e.:
- properties are not inherited recursively.

Option B4:
role_3 has
- no properties set.

I.e.:
- properties are not inherited (at all).

Which one is correct?

Thanks a lot in advance for helping clarify this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...