Skip to main content
Version: 1.2.0

Access Control

ElasticSPL Roles

ElasticSPL ships with a set of custom roles. It is advised to configure your existing roles to inherit from the default roles.

elastic_adminRole to assign to users needing to configure ElasticSPL without beeing Splunk Admins. The role allows for full access and to knowledge objects.elastic_user elastic_adhoc elastic_power
elastic_powerRole allowing CRUD on queries. Only queries for which the user has write permissions are editable.elastic_user
elastic_userRole to assign to users requiring access to the Dashboards and Commands provided by the app. The role itself does not grant any access to instances or queries. Every instance and query has its own access control list.userlist_storage_passwords
elastic_adhocRole to assign to users if they should be able to query the assigned instances with ad-hoc queries. This allows the user to run arbitrary queries and should therefore only be assigned to users that are allowed to access any data

ElasticSPL Knowledge Object Permissions

ElasticSPL uses Splunks access control mechanisms to control access to instances and queries. The permissions are applied to the knowledge objects (instances and queries) and not to the users. This allows for more granular control over access to the data. Each knowledge object has a list of roles that are allowed to access the object and a list of roles that are allowed to edit the object.

It is important to remember that the owner has full access to a knowledge object and can always access, edit, and delete the object.