Custom roles in Splunk Observability Cloud
Manage users: Create custom roles for users in Splunk Observability Cloud
Predefined roles in Splunk Observability Cloud
Splunk Observability Cloud has built-in roles and the ability to add custom roles. The four built-in roles with predefined capabilities include the following:
-
admin
-
power
-
usage
-
read_only
To see detailed descriptions of the predefined roles, see About roles in Splunk Observability Cloud. Predefined roles are also mapped to capabilities in the Splunk Observability Cloud capabilities table in this document.
Prerequisites
To create custom roles, you must meet the following prerequisites:
-
Be an administrator in Splunk Observability Cloud and Splunk Cloud Platform
-
Have set up Unified Identity between your Splunk Cloud Platform and Splunk Observability Cloud organizations. See Unified Identity: Splunk Cloud Platform and Splunk Observability Cloud.
-
Have set up centralized user and role management. See How to set up centralized user and role management.
How to create a custom role
After setting up Unified Identity and centralized user and role management, Splunk Cloud Platform is the role based access control (RBAC) store for Splunk Observability Cloud. You must create and manage all Splunk Observability Cloud roles in Splunk Cloud Platform. See Create and manage roles with Splunk Web to learn about roles in Splunk Cloud Platform.
To create a custom Splunk Observability Cloud role, follow these steps:
-
Follow the instructions in the "Add or edit a role" section only of Create and manage roles with Splunk Web.
-
Specify the custom role capabilities by selecting any combination of capabilities from the table in the following section, Splunk Observability Cloud capabilities.Note: Capabilities are always additive in nature. You cannot take away the ability to do something by adding a capability. If you don't want users who hold a role to perform a certain function on your Splunk platform instance, then do not assign that role a capability that lets a user perform that function.
-
For any user you are assigning the custom role you create here, you must also add the o11y_read_only role to that user directly to provide necessary read functionality.
Splunk Observability Cloud capabilities
The following table lists all of the capabilities that you can add to a role to define the role's permissions in Splunk Observability Cloud:
| Capability name | What it lets users assigned to this role do | admin | power | usage | read_only |
|---|---|---|---|---|---|
| CREATE_AUTOMATED_ARCHIVAL_EXEMPT_METRICS | Grants user permission to generate automated archival exempt metrics | X | X | ||
| CREATE_CHART | Grants user permission to create a new chart | X | X | ||
| CREATE_DASHBOARD | Grants user permission to create a new dashboard. You must also assign the CREATE_SHAREABLE_SNAPSHOT capability to allow the user to save the dashboard | X | X | ||
| CREATE_DASHBOARD_DATA_LINK | Grants user permission to create a dashboard data link | X | X | ||
| CREATE_DASHBOARD_GROUP | Grants user permission to create a new dashboard group | X | X | ||
| CREATE_DETECTOR | Grants user permission to create a detector | X | X | ||
| CREATE_DIMENSION | Grants user permission to create a new dimension | X | X | ||
| CREATE_EVENT | Grants user permission to create a new event | X | X | ||
| CREATE_FIELD_ALIASING | Grants user permission to create aliases | X | X | ||
| CREATE_LOGS_PIPELINE | Grants user permission to create a new logs pipeline with processing rules | X | X | ||
| CREATE_LOGS_QUERIES | Grants user permission to create saved logs queries | X | X | ||
| CREATE_METRIC | Grants user permission to create a new metric | X | X | ||
| CREATE_METRIC_RULESET | Grants user permission to create a metric ruleset | X | X | ||
| CREATE_MUTING_RULE | Grants user permission to create a new muting rule | X | X | ||
| CREATE_PACKAGE | Grants user permission to create an SFX Package | X | X | ||
| CREATE_SHAREABLE_SNAPSHOT | Grants user permission to create a shareable snapshot of an existing chart or dashboard | X | X | ||
| CREATE_SLO | Grants user permission to create a new service level objective | X | X | ||
| CREATE_SSO | Grants user permission to create SSO connections | X | X | ||
| CREATE_SYNTHETICS_DOWNTIME_CONFIGURATION | Grants user permission to create synthetic downtime configurations | X | X | ||
| CREATE_SYNTHETICS_PRIVATE_LOCATION | Grants user permission to create synthetic private location | X | X | ||
| CREATE_SYNTHETICS_PRIVATE_LOCATION_TOKEN | Grants user permission to create a synthetic private location token | X | X | ||
| CREATE_SYNTHETICS_TEST | Grants user permission to create synthetic tests | X | X | ||
| CREATE_TAG | Grants user permission to create a new tag | X | X | ||
| CREATE_TEAM_MEMBER | Grants user permission to add members to existing teams where user is a team manager | X | X | ||
| DELETE_AUTOMATED_ARCHIVAL_EXEMPT_METRICS | Grants user permission to delete automated archival exempt metrics | X | X | ||
| DELETE_DASHBOARD | Grants user permission to delete an existing dashboard | X | X | ||
| DELETE_DASHBOARD_DATA_LINK | Grants user permission to delete an existing data link | X | X | ||
| DELETE_DASHBOARD_GROUP | Grants user permission to delete an existing dashboard group | X | X | ||
| DELETE_DETECTOR | Grants user permission to delete an existing detector | X | X | ||
| DELETE_DIMENSION | Grants user permission to delete an existing dimension | X | X | ||
| DELETE_EVENT | Grants user permission to delete an existing event | X | X | ||
| DELETE_METRIC | Grants user permission to delete an existing metric | X | X | ||
| DELETE_METRIC_RULESET | Grants user permission to delete an existing metric ruleset | X | X | ||
| DELETE_MUTING_RULE | Grants user permission to delete an existing muting rule | X | X | ||
| DELETE_PACKAGE | Grants user permission to delete an existing SFX Package | X | X | ||
| DELETE_SYNTHETICS_DOWNTIME_CONFIGURATION | Grants user permission to delete synthetic downtime configurations | X | X | ||
| DELETE_SYNTHETICS_PRIVATE_LOCATION | Grants user permission to delete synthetic private location | X | X | ||
| DELETE_SYNTHETICS_PRIVATE_LOCATION_TOKEN | Grants user permission to delete synthetic private location token | X | X | ||
| DELETE_SYNTHETICS_TEST | Grants user permission to delete synthetic tests | X | X | ||
| DELETE_TAG | Grants user permission to delete an existing tag | X | X | ||
| DELETE_TEAM | Grants user permission to delete an existing team | X | X | ||
| DELETE_TEAM_MEMBER | Grants user permission to remove an existing team member from a team | X | X | ||
| READ_LOGS_PIPELINE | Grants user permission to view the configured logs pipeline and processing rules | X | X | ||
| READ_NAMEDTOKEN | Grants user permission to retrieve and display a list of named tokens | X | X | ||
| READ_ROLE | Grants user permission to retrieve and display a list of existing roles | X | X | ||
| UPDATE_CHART | Grants user permission to make changes to an existing chart | X | X | ||
| UPDATE_DASHBOARD | Grants user permission to make changes to an existing dashboard | X | X | ||
| UPDATE_DASHBOARD_DATA_LINK | Grants user permission to change existing dashboard data links | X | X | ||
| UPDATE_DASHBOARD_GROUP | Grants user permission to make changes to an existing dashboard group. You must also assign the UPDATE_SHAREABLE_SNAPSHOT capability to allow the user to save the dashboard group | X | X | ||
| UPDATE_DETECTOR | Grants user permission to make changes to an existing detector | X | X | ||
| UPDATE_DIMENSION | Grants user permission to make changes to an existing dimension | X | X | ||
| UPDATE_FIELD_ALIASING | Grants user permission to update field aliases | X | X | ||
| UPDATE_INCIDENT | Grants user permission to clear an existing incident | X | X | ||
| UPDATE_LOGS_QUERIES | Grants user permission to create, update, and delete saved logs queries | X | X | ||
| UPDATE_METRIC | Grants user permission to make changes to an existing metric | X | X | ||
| UPDATE_METRIC_RULESET | Grants user permission to make changes to an existing metric ruleset | X | X | ||
| UPDATE_MUTING_RULE | Grants user permission to make changes to an existing muting rule object | X | X | ||
| UPDATE_PACKAGE | Grants user permission to update an existing SFPackage | X | X | ||
| UPDATE_RUM_URL_GROUPING_RULE | Grants user permission to update the current URL config object (modify, add, or remove rules) | X | X | ||
| UPDATE_SERVICE_CENTRIC_VIEW_CONFIG | Grants user permission to create or update an APM Services configuration for a service | X | X | ||
| UPDATE_SHAREABLE_SNAPSHOT | Grants user permission to update an existing SFPackage | X | X | ||
| UPDATE_SLO | Grants user permission to make changes to an existing service level objective | X | X | ||
| UPDATE_SYNTHETICS_DOWNTIME_CONFIGURATION | Grants user permission to update synthetic downtime configurations | X | X | ||
| UPDATE_SYNTHETICS_TEST | Grants user permission to update synthetic tests | X | X | ||
| UPDATE_TAG | Grants user permission to make changes to an existing tag | X | X | ||
| UPDATE_TEAM | Grants user permission to update existing teams | X | X | ||
| UPDATE_TEAM_MEMBER | Grants user permission to update existing members to team manager | X | X | ||
| WRITE_ENTITY | Grants user permission to update a discovered entity in the data management UI | X | X |