Edit authorization policies in Splunk Web

You can change how authorization policies affect Splunk capabilities or remove the policies altogether and restore capabilities to their original scope.

To edit authorization policies for a capability on the Splunk platform, you must run a version of the Splunk platform that supports the editing and removal of authorization policies.
In Splunk Web, you can edit policies by either accessing the Policy Management page directly, or by editing a role and accessing the page through the Policies configuration section for the capability whose scope you want to change.
  1. Log into your Splunk platform instance as an administrator user or equivalent.
  2. From the system bar, select Settings > Policy Management. The Policy Management page loads.
  3. In the Policy Management page, select the button with three vertical dots in the row for the policy that you want to change. In the menu that pops up, select Edit. The Edit Policy page loads.
  4. (Optional) In the Policy Name field, you can change the name of the policy by typing in a new name for it. You can give the policy any name that helps you understand how it will limit the scope of the capability to which you assign it.
  5. (Optional) In the Condition (Allow) section, you can change how the policy limits the scope of a capability:
    1. In the *Operation drop-down list box, select oneOf. This is currently the only available option.
    2. In the *Attribute drop-down list box, select one of the available values. When the Splunk platform analyzes the policy, it checks to see if the resource or workflow that the capability provides access to is in the attribute list.
      Note: Currently, the Attribute drop-down list box contains a listing for a Splunk Observability Cloud organization, and the Attribute Value list box contains custom roles related to Splunk Observability Cloud only.
    3. In the *Attribute Value list, select one or more entries that are valid for the *Attribute field. This will limit the scope of the capability in question to only the items in the *Attribute Value list.
  6. (Optional) In the Mapping section, change the roles and capabilities to which this policy will limit scope.
    1. In the *Role drop-down list box, select one or more roles whose capabilities you want to map the policy to.
      Note: You can search for a role by typing its name in the Search field that appears when you select the drop-down list box.
    2. In the Capabilities drop-down list box, select the capabilities to which this policy is to apply. Capabilities that are assigned to the role will be indicated with an Assigned to role tag.
  7. (Optional) If you want to assign additional roles to which this policy will apply, select the + Add row item and repeat the previous step.
    Note: You can repeat this step for as many role mappings as you want to add.
  8. (Optional) Conversely, if you want to remove a role mapping, you can select the circle with the dash in the middle to remove that mapping. You can repeat this step to remove other existing mappings.
  9. Select Save. Splunk Web saves the policy changes and returns you to the Policy Management screen.
Completing this procedure edits an existing authorization policy. When the Splunk platform performs its authorization checks on whether to grant access to a resource or workflow, it checks whether any role that the user holds has the correct capability, and also checks whether that capability has a scope that limits what the capability lets the user access.