Configure users and roles
Splunk App for PCI Compliance uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.
Configuring user roles
Splunk App for PCI Compliance adds three roles to the default roles provided by Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in ES based on a user's access requirements. Assign all Splunk App for PCI Compliance users appropriate roles in order to perform their duties. There are three categories of users.
| User | Description | Splunk PCI role |
|---|---|---|
| PCI Compliance Manager | Reviews PCI Compliance Posture, Protection Centers, and Audit dashboards in order to understand current PCI Compliance Posture of the organization. PCI Compliance Managers generally do not configure the product or manage incidents. |
pci_user
|
| PCI Compliance Analyst | Uses PCI Compliance Posture and Incident Review dashboards to manage and investigate PCI compliance incidents. PCI Compliance Analyst are also responsible for reviewing Protection Centers and providing direction on what constitutes a PCI compliance incident. Generally, they define the thresholds used by correlation searches and dashboards. A PCI Compliance Analyst needs to be able to edit correlation searches and create suppressions. |
pci_analyst
|
| PCI Compliance Administrator | Installs and maintains Splunk Enterprise and Splunk Apps. This user is responsible for configuring workflow, new data sources, tuning of rules, and troubleshooting the application. | admin or sc_admin
|
Each Splunk App for PCI Compliance custom role inherits from Splunk platform roles and adds capabilities specific to the PCI app. Not all of the three roles custom to the Splunk App for PCI Compliance can be assigned to users.
| Splunk PCI role | Inherits from Splunk platform role | Added Splunk PCI capabilities | Can be assigned to users |
|---|---|---|---|
pci_user
|
user | real-time search, list search head clustering | Yes. Replaces the user role for PCI users.
|
pci_analyst
|
user, pci_user, power | Inherits pci_user and adds the capabilities to create, edit, and own notable events and perform all transitions, and create and modify investigations. |
Yes. Replaces the power role for PCI users.
|
pci_admin
|
user, pci_user, power, pci_analyst | Inherits pci_analyst and adds several other capabilities. |
No. You must use a Splunk platform admin role to administer a Splunk App for PCI Compliance installation. |
See the capabilities specific to Splunk App for PCI Compliance for more details about which capabilities are assigned to which roles by default.
The Splunk platform admin role inherits all unique PCI capabilities. In a Splunk Cloud Platform deployment, the Splunk platform admin role is named sc_admin. Use the admin or sc_admin role to administer a Splunk App for PCI Compliance installation.
| Splunk platform role | Inherits from role | Added capabilities | Accepts user assignment |
|---|---|---|---|
admin
|
user, pci_user, power, pci_analyst, pci_admin | All | Yes. |
sc_admin
|
user, pci_user, power, pci_analyst, pci_admin | All | Yes. |
Role inheritance
All role inheritance is preconfigured in Splunk App for PCI Compliance. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see the Splunk platform documentation.
- For Splunk Enterprise, see Add and edit roles in Securing Splunk Enterprise.
- For Splunk Cloud Platform, see Manage Splunk Cloud Platform roles in Splunk Cloud Platform Admin Manual.
Add capabilities to a role
Capabilities control the level of access that roles have to various features in the Splunk App for PCI Compliance. Use the Permissions page in the Splunk App for PCI Compliance to review and change the capabilities assigned to a role.
- On the Splunk App for PCI Compliance menu bar, select Configure > General > Permissions.
- Find the role you want to update.
- Find the ES Component you want to add.
- Select the check box for the component for the role.
- Save.
Capabilities specific to Splunk App for PCI Compliance
Splunk App for PCI Compliance uses custom capabilities to control access to PCI-specific features.
Add capabilities on the permissions page in Splunk App for PCI Compliance to make sure that the proper access control lists (ACLs) are updated. The permissions page makes the ACL changes for you. If you add these custom capabilities on the Splunk platform settings page, you must update the ACLs yourself.
| Function in ES | Description | Capability | pci_user | pci_analyst | pci_admin |
|---|---|---|---|---|---|
| Create new notable events | Create ad-hoc notable events from search results. See Manually create a notable event. | edit_notable_events | X | X | |
| Edit advanced search schedule settings | Edit the schedule priority and schedule window of correlation searches on Content Management. | edit_search_schedule_priority edit_search_schedule_window | X | ||
| Edit correlation searches | Edit correlation searches on Content Management. See Configure correlation searches. | edit_correlationsearches schedule_search | X | ||
| Edit Distributed Configuration Management | Use distributed configuration management. | edit_modinput_es_deployment_manager | X | ||
| Edit ES navigation | Make changes to the Splunk App for PCI Compliance navigation. | edit_es_navigation | X | ||
| Edit glass tables | Create and modify glass tables. Not relevant for the Splunk App for PCI Compliance. | edit_glasstable | X | X | |
| Edit identity lookup configuration | Manage the configuration of identity lookups and restrict asset and identity correlation. Not relevant for the Splunk App for PCI Compliance. | edit_identitylookup | X | ||
| Edit Incident Review | Make changes to Incident Review settings. See Customize Incident Review. | edit_log_review_settings | X | ||
| Edit lookups | Make changes to lookup table files. | edit_lookups, edit_managed_configurations | X | ||
| Edit statuses | Make changes to the statuses available to select for investigations and notable events. See Managing and monitoring notable event statuses. | edit_reviewstatuses | X | ||
| Edit notable event suppressions | Create and edit notable event suppressions. See Create and manage notable event suppressions. | edit_suppressions | X | ||
| Edit notable events | Make changes to notable events, such as assigning them. | edit_notable_eventstransition_reviewstatus-X_to_Y | X | X | |
| Edit per-panel filters | Create and manage per-panel filters for dashboards. | edit_per_panel_filters | X | ||
| Edit intelligence downloads | Create and modify intelligence download settings. Not relevant for Splunk App for PCI Compliance. | edit_modinput_threatlist edit_modinput_threat_intelligence_manager | X | ||
| Edit threat intelligence collections | Upload threat intelligence and perform CRUD operations on threat intelligence collections using the REST API. Not relevant for Splunk App for PCI Compliance. | edit_threat_intel_collections | X | ||
| Manage all investigations | Allows the role to view and make changes to all investigations. | manage_all_investigations | X | ||
| Own notable events | Allows the role to be an owner of notable events. See Notable Events. | can_own_notable_events | X | X | |
| Search-driven lookups | Create lookup tables that can be populated by a search. | edit_managed_configurations schedule_search | X | ||
| Manage your investigations | Create and edit investigations. Roles with this capability can make changes to investigations on which they are a collaborator. See Investigations in Splunk Enterprise Security. | edit_timelines | X | X | |
| Credential Manager | Manage credentials and certificates for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page. | admin_all_objects list_storage_passwords list_app_certs edit_app_certs delete_app_certs | X |
Adjust the concurrent searches for a role
Splunk platform defines a limit on concurrently running searches for the user and power roles by default. You may want to change those concurrent searches for some roles.
- On the Splunk App for PCI Compliance menu bar, select Configure > General > General Settings.
- Review the limits for roles and change them as desired.
| Item | Description |
|---|---|
| Search Disk Quota (admin) | The maximum disk space (MB) a user with the admin role can use to store search job results. |
| Search Jobs Quota (admin) | The maximum number of concurrent searches for users with the admin role. |
| Search Jobs Quota (power) | The maximum number of concurrent searches for users with the power role. |
To change the limits for roles other then admin and power, edit the authorize.conf file to update the default search quota. See the authorize.conf.example in the Admin manual.
Configure the roles to search multiple indexes
Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. Splunk platform configures all roles to search only the main index by default. See About configuring role-based user access
To allow roles in Splunk App for PCI Compliance to search additional indexes, assign the indexes that contain relevant security data to the relevant roles.
- Select Settings > Access Controls.
- Click Roles.
- Click the role name that you want to allow to search additional indexes.
- Select the desired Indexes searched by default and Indexes that this role can search. Do not include summary indexes, as this can cause a search and summary index loop.
- Save your changes.
- Repeat for additional roles as needed.
If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update or display results.
For more information on the reasons for multiple indexes, see Why have multiple indexes? in Managing Indexers and Clusters of Indexers.