Access and Authorization in Splunk
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
6 hours 3 minutes
bloom. Welcome back to the Splunk Enterprise Certified Administrator course on Cyber. This is Lesson six point to where we'll be discussing the access and authorization in Splunk so previous less. When we talked about what authentication options there are now, we're gonna get mawr into how privileges are granted.
So the learning objectives for this course will be to cover the type of access control that's used in ***,
explain the process for getting users on board it into Splunk, talk about Splunk bass roles and then also discussed how you go about creating your own custom roles and Splunk. Why are we learning this?
Now that we know what authentication options are available? That's great, but we we need one more piece of the puzzle before will be able to actually use our users. So when Splunk,
it's great to have a user account, but it also needs to be assigned the relevant permissions. Otherwise, you won't be able to use the account yet, so this is, ah, essential next step, getting your users ready to log into their accounts. So
what type of access is used in Splunk?
It's what's referred to his role based access control or are back, which basically means that instead of a user having their permissions defined on an individual basis or an object having three, the
the permissions defined at that level. Instead, users are assigned to roles, and the roles are what defines what permissions that that user has. So an important note with Splunk is if a user does not belong to a role, they will not be able to log in. So it is essential
that you set this up beforehand.
So when you bring users in this splitting, this is what the general process is gonna look like. First, you're going to create roles. And that's important because while Splunk does ship with bass roles, you're not supposed to use those. You should really use them as a baseline and develop your own roles in case future updates or anything.
Change the role fundamentally or anything like that.
And then, once the role is created, you should assign the relevant capabilities to that role and then also specify which indexes people in that role are supposed to be able to see. And then you can create or integrate user's through another system, using one of the
authentication options that we discussed in the previous video
and then either assigned the user were, in the case of active directory, map the users role to a role in Splunk.
So the splint default rolls consists of admin power user but just called Power User and then can delete. So these are the bass roles. Like I said before, you shouldn't really use these. You should use them as a baseline and then model your own roles after this important to note
the candle eat roll. So the admin admin basically has permissions to do everything except for delete data via the Splunk
Delete command that's reserved for just the can delete rule. And you should keep it that way. Ideally, no one should really be doing that is when you do that in schooling, search, whatever. Basically, whatever data you bring back from your search, you can pipe that into a delete command, and then that will make it impossible to
return those events again in a search. It doesn't actually delete them from disk,
but it does make them virtually inaccessible.
So has we've mentioned a couple times. Don't use the default rolls. Instead, you should create custom roles, so you can create a new role pretty easily via Splunk Web simply 02 settings users roles at new. And then, if you want to
streamline or fast track making your role of baseball of another one, you can select a role to inherit from,
and so that could make this process a little quicker.
And then, as I mentioned in the previous slide, make sure that you're restricting access to the delete by keyword capability. I know I mentioned capabilities a couple times previously in the slide just to make sure that I'm being clear. So
individual permissions or abilities that AH role will have in Splunk are referred to his capabilities,
and you'll have to get kind of familiar with those and
be able to determine which ones are appropriate for given role. *** does have documentation that goes over each capability that's available, what it does and which users have it by default. I will link that in the resource is tab. So if just just keep that in mind
when you're considering fools.
So in summary
during this lesson, we discussed how access works in Splunk and that it uses role based access control how to add users to a role, since that is essential and you will not be able to log in unless you belong to a role. We also discussed the four Splunk default rolls admin power user and can delete.
Then we also went through
How can you create your own custom roles? And we'll explore both of these concepts in more depth in a lab. So, uh, if you felt like that was kind of a light overview, don't worry. We will jump into this a little bit more thoroughly during a lab, so we'll see you
in the next lesson.