Access Control
S3SPL Roles
S3SPL ships with a set of custom roles. It is advised to configure your existing roles to inherit from the default roles.
| Role | Description | Inheritance | Capabililities |
|---|---|---|---|
| s3spl_admin | Role to assign to users needing to configure S3SPL without beeing Splunk Admins. The role allows for full access and to knowledge objects. | s3spl_user s3spl_adhoc s3spl_power | |
| s3spl_power | Role allowing CRUD on queries. Only queries for which the user has write permissions are editable. | s3spl_user | |
| s3spl_user | Role to assign to users requiring access to the Dashboards and Commands provided by the app. The role itself does not grant any access to buckets or queries. Every bucket and query has its own access control list. | user | list_storage_passwords |
| s3spl_adhoc | Role to assign to users if they should be able to query the assigned buckets with ad-hoc queries. This allows the user to run arbitrary queries and should therefore only be assigned to users that are allowed to access any data |
S3SPL Knowledge Object Permissions
S3SPL uses Splunks access control mechanisms to control access to buckets and queries. The permissions are applied to the knowledge objects (buckets and queries) and not to the users. This allows for more granular control over access to the data. Each knowledge object has a list of roles that are allowed to access the object and a list of roles that are allowed to edit the object.
It is important to remember that the owner has full access to a knowledge object and can always edit the object (even with the user is not a member of any roles providing write access).