Users and roles for Splunk Enterprise Security
Splunk Enterprise Security uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles capabilities to provide granular, role-based access control for your organization.
Security users
The following table describes the three types of security users:
| User | Description | Splunk Enterprise Security role |
|---|---|---|
| Security director | Seeks to understand the current security posture of the organization by reviewing the security posture, protection centers, and audit dashboards in Splunk Enterprise Security. A security director does not configure the product or manage findings and investigations. | ess_user
|
| Security analyst | Uses the Security Posture dashboard and the Mission Control page in Splunk Enterprise Security to manage and investigate security findings. Security analysts are also responsible for reviewing the protection centers and providing direction on what constitutes a security threat. They also define the thresholds used by detections and dashboards. A security analyst must be able to edit findings. | ess_analyst
|
| Solution administrator | Installs and maintains Splunk Enterprise Security. This user is responsible for configuring workflows, adding new data sources, and tuning and troubleshooting the application. | admin or sc_admin
|
Splunk Enterprise Security roles
Roles concept
Splunk Enterprise Security adds three roles to the default roles provided by the Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in Splunk Enterprise Security based on a user's access requirements. The Splunk platform administrator can assign groups of users to the roles that best fit the tasks the users perform and manage in Splunk Enterprise Security.
Each Splunk Enterprise Security role inherits other Splunk platform roles and adds capabilities specific to Splunk Enterprise Security. Not all of the Splunk Enterprise Security roles can be assigned directly to users.
The following table describes the roles specific to Splunk Enterprise Security:
| Splunk Enterprise Security role | Role inherited from Splunk platform | Added Splunk Enterprise Security capabilities | Assign to users? |
|---|---|---|---|
ess_user
| user | Real-time search, list search head clustering, edit Splunk eventtypes in the threat Intelligence supporting add-on, manage suppressions of findings. | Yes. Replaces the user role for Splunk Enterprise Security users. |
ess_analyst
| user, ess_user, power | Inherits ess_user and adds the capabilities to create, edit, and own findings and perform all transitions, and create and modify investigations. | Yes. Replaces the power role for Splunk Enterprise Security users. |
ess_admin
| user, ess_user, power, ess_analyst | Inherits ess_analyst and adds several other capabilities. | No. You must use a Splunk platform admin role to administer a Splunk Enterprise Security installation. Note: The
ess_admin is a container of capabilities provided by Splunk Enterprise Security to the system administrator role, which allows you to install and configure Splunk Enterprise Security. The ess_admin role must not be assigned to users because though the role provides custom capabilities, the user does not have access to access control lists (ACLs). |
The Splunk platform admin role inherits all unique Splunk Enterprise Security capabilities. In a Splunk Cloud Platform deployment, the Splunk platform admin role is called sc_admin. Use the admin or sc_admin role to administer a Splunk Enterprise Security installation.
Role inheritance
All role inheritance is preconfigured in Splunk Enterprise Security. If you change the capabilities for any role, other inheriting roles also reflect the changes.
See also
For more information about roles, see the product documentation:
- For Splunk Enterprise, see Add and edit roles in Securing Splunk Enterprise.
- For Splunk Cloud Platform, see Manage Splunk Cloud Platform roles in Splunk Cloud Platform Admin Manual.
For more information on reassigning knowledge objects, see the product documentation:
- For Splunk Enterprise, see Reassign one or more shared knowledge objects to a new owner in the Knowledge Manager Manual.
- For Splunk Cloud Platform, see Reassign one or more shared knowledge objects to a new owner in the Knowledge Manager Manual.
For more information about working with roles, see the product documentation.
- For Splunk Enterprise, see About configuring role-based user access in the Securing Splunk Enterprise manual.
- For Splunk Cloud Platform, see Manage Splunk Cloud Platform users and roles in the Splunk Cloud Platform Admin Manual.
For more information on the need for multiple indexes, see Why have multiple indexes? in Splunk Enterprise Managing Indexers and Clusters of Indexers.
For more information on managing credentials, see Manage credentials in Splunk Enterprise Security.