Roles
ITSI Roles
- itoa_user: Basic read access to ITSI, write their own private glass tables
- itoa_analyst: For knowledge managers who will create glass tables, deep dives, notable events and service analyzers and work with episodes in Episode Review.
- itoa_team_admin: Create and administer services, and update objects for ITSI teams to which they are assigned read/write access. Read/write/delete KPI, entities, base search, threshold templet, correlation searches, modules etc
- itoa_admin: Admins create teams for team administrators to administer as well as create objects in the Global team. read/write/delete service templets, bulk imports, backup & restores etc
- admin: itoa_admin, itoa_analyst, itoa_user, user, power
Note: Never delete the default admin user from your Splunk instance.
You can create custome role.
Steps:
- Assign the role proper capabilities: Create a local copy of authorize.conf in $SPLUNK_HOME/etc/apps/itsi/local/ directory.
- Grant the role access to ITSI indexes: Assign necessary indexes (mentioned above)
-
Assign the role proper view-level access: ITSI includes default entries in itsi/metadata/default.meta that determine access for ITSI roles to specific ITSI views. By default, only itoa_admin has read/write permissions for all ITSI views. copy to local.meta file & updates the access permissions.
Ex:
[views/glass_tables_lister]
access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [itoa_admin]
- Assign the role KV store collection level access: The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles like read/write/delete access to backfill, correlation searches, services etc.
Next Chapter: Modules