Access Control
ElasticSPL Roles
ElasticSPL ships with a set of custom roles. It is advised to configure your existing roles to inherit from the default roles.
| Role | Description | Inheritance | Capabililities |
|---|---|---|---|
| elastic_admin | Role to assign to users needing to configure ElasticSPL without beeing Splunk Admins. The role allows for full access and to knowledge objects. | elastic_user elastic_adhoc elastic_power | |
| elastic_power | Role allowing CRUD on queries. Only queries for which the user has write permissions are editable. | elastic_user | |
| elastic_user | Role to assign to users requiring access to the Dashboards and Commands provided by the app. The role itself does not grant any access to instances or queries. Every instance and query has its own access control list. | user | list_storage_passwords |
| elastic_adhoc | Role to assign to users if they should be able to query the assigned instances with ad-hoc queries. This allows the user to run arbitrary queries and should therefore only be assigned to users that are allowed to access any data |
ElasticSPL Knowledge Object Permissions
ElasticSPL uses Splunks access control mechanisms to control access to instances and queries. The permissions are applied to the knowledge objects (instances and queries) and not to the users. This allows for more granular control over access to the data. Each knowledge object has a list of roles that are allowed to access the object and a list of roles that are allowed to edit the object.
It is important to remember that the owner has full access to a knowledge object and can always access, edit, and delete the object.