Splunk Alert and Dashboard Creation Permissions

Path Finder

Hi Team,

We have deployed Splunk Cloud in our organisation. And the access for the users have been provided via SAML authentication. We have different application team and hence we have created different application roles and provided user level acccess to search the data with the respective index in Splunk Cloud.

Now a particular user has been assigned to X user level role and he can able to access Splunk Cloud and able to search the data index=x and he can able to create the alerts and dashboards as well. But the alert or dashboard which is getting created saves as Private and the user alone can able to view and access the Alerts & Dashboards whereas others with the same role couldn't able to view the same and also they couldn't able to share the data Globally since they dont have access. So where and how should we need to change the access level so that the user in a particular roles assigned needs to modify and share the alerts and dashboards globally.

So kindly help to check and update on the same.

Tags (1)
0 Karma

Esteemed Legend

We usually give up on the default roles or at least strip out all access to index values. Then we create new roles based on index values ONLY (No other capabilities added). This way, when ANY user of ANY time needs access to any particular index, we simply add the role named for that index to his user. Also, don't forget that when users create knowledge objects, they usually start out with private scope and only that user can see/use them. Remind users that when they need to share, the user must bump up the permissions to at least app level.

0 Karma


Perhaps I'm misinterpreting the question, but are you just asking how to edit permissions on knowledge objects so everyone has access to it? The person who created the object (alert/dashboard) can edit it using the edit functionality in the top right corner of the dashboard/alert to change the permissions to app and by role.

Additionally, if the person isn't with the company or can't do this themselves, an admin can go into Settings (top right corner of the Splunk UI) -> All Configurations (bottom of the "Knowledge" list in the dropdown) -> Search for the name of the object -> change the permissions to be not private under the "Sharing" section.

Did this answer your question? Sorry if I misunderstood!

0 Karma

Path Finder

Can anyone help on my query

0 Karma
Get Updates on the Splunk Community!

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...