Create authorization policies in Splunk Web

You can use Splunk Web to create, configure, and update authorization policies for a Splunk capability.

To create and edit authorization policies for a capability, you must run a version of the Splunk platform that supports creating authorization policies.
In Splunk Web, you can edit policies by either accessing the Policy Management page directly, or by editing a role and accessing the page through the Policies configuration section for the capability whose scope you want to change.
  1. Log into your Splunk platform instance as an administrator user or equivalent.
  2. From the system bar, select Settings > Policy Management. The Policy Management page loads.
  3. In the Policy Management page, select + Add Policy. The Add Policy page loads.
  4. In the Policy Name field, type in the name of the policy that will apply scope to a capability. You can give the policy any name that helps you understand how it will limit the scope of the capability to which you assign it.
  5. In the Condition (Allow) section, determine how the policy will limit the scope of a capability:
    1. In the *Operation drop-down list box, select oneOf. This is currently the only available option.
    2. In the *Attribute drop-down list box, select one of the available values. When the Splunk platform analyzes the policy, it checks to see if the resource or workflow that the capability provides access to is in the attribute list.
      Note: Currently, the Attribute drop-down list box contains a listing for a Splunk Observability Cloud organization, and the Attribute Value list box contains custom roles related to Splunk Observability Cloud only.
    3. In the *Attribute Value list, select one or more entries that are valid for the *Attribute field. This will limit the scope of the capability in question to only the items in the *Attribute Value list.
  6. In the Mapping section, determine the roles and capabilities to which this policy will limit scope.
    1. In the *Role drop-down list box, select one or more roles whose capabilities you want to map the policy to.
      Note: You can search for a role by typing its name in the Search field that appears when you select the drop-down list box.
    2. In the Capabilities drop-down list box, select the capabilities to which this policy is to apply. Capabilities that are assigned to the role will be indicated with an Assigned to role tag.
  7. (Optional) If you want to assign additional roles to which this policy will apply, select the + Add row item and repeat the previous step.
    Note: You can repeat this step for as many role mappings as you want to add.
  8. Select Save. Splunk Web returns you to the Policy Management screen.
Completing this procedure defines a policy for the roles and capabilities that you specify. When the Splunk platform performs its authorization checks on whether to grant access to a resource or workflow, it checks whether any role that the user holds has the correct capability, and also checks whether that capability has a scope that limits what the capability lets the user access.