###### ITSI authorize.conf ######

[capability::edit_itsi_modules_conf]
disabled = 0

#####################
## Roles
#####################

## Splunk Admin
## The Splunk admin role inherits itoa_admin;itoa_analyst;itoa_user;power;user roles
## This allows users associated with the admin role to administer itoa out of the box
[role_admin]
importRoles = itoa_admin;itoa_analyst;itoa_user;power;user

## increase disk quota for admin role to 25GB
srchDiskQuota = 25000


## ITOA Admin
## The ITOA admin role inherits itoa_analyst;power;itoa_user;user roles
## This allows users assigned to the itoa_admin role to perform all capabilities of an itoa_team_admin, itoa_analyst and itoa_user
[role_itoa_admin]
importRoles = itoa_team_admin;power;user;metric_ad_admin

edit_itsi_modules_conf = enabled

## Core dependent capabilities
# Capabilities copied from Splunk admin role to enable write permissions
list_storage_passwords = enabled

# Add capability to lookup settings (regular and search head)
# Search head configuration is used by ITSI modular inputs
list_search_head_clustering = enabled
list_settings = enabled

rtsearch = enabled

# For event management
edit_token_http = enabled

## ITSI specific/controlled capabilities

# Notable Event Rules Engine
read_itsi_notable_aggregation_policy = enabled
write_itsi_notable_aggregation_policy = enabled
delete_itsi_notable_aggregation_policy = enabled
interact_with_itsi_notable_aggregation_policy = enabled
edit_default_itsi_notable_aggregation_policy = enabled

# Set Role Based Access Control
configure_perms = enabled

# Glass Table
read_itsi_glass_table = enabled
write_itsi_glass_table = enabled
delete_itsi_glass_table = enabled
interact_with_itsi_glass_table = enabled

# Deep Dive
read_itsi_deep_dive = enabled
write_itsi_deep_dive = enabled
delete_itsi_deep_dive = enabled
interact_with_itsi_deep_dive = enabled
read_itsi_deep_dive_context = enabled
write_itsi_deep_dive_context = enabled
delete_itsi_deep_dive_context = enabled
interact_with_itsi_deep_dive_context = enabled

# Service Analyzer
read_itsi_homeview = enabled
write_itsi_homeview = enabled
delete_itsi_homeview = enabled
interact_with_itsi_homeview = enabled

# Event Management State
read_itsi_event_management_state = enabled
write_itsi_event_management_state = enabled
delete_itsi_event_management_state = enabled
interact_with_itsi_event_management_state = enabled

# Temporary KPI
read_itsi_temporary_kpi = enabled
write_itsi_temporary_kpi = enabled
delete_itsi_temporary_kpi = enabled

# KPI State Cache
read_itsi_kpi_state_cache = enabled
write_itsi_kpi_state_cache = enabled
delete_itsi_kpi_state_cache = enabled

# Service
read_itsi_service = enabled
write_itsi_service = enabled
delete_itsi_service = enabled
bulk_import_service_or_entity = enabled

# Drift detection templates
write_itsi_drift_detection_template = enabled
read_itsi_drift_detection_template = enabled
delete_itsi_drift_detection_template = enabled

# Teams
read_itsi_team = enabled
write_itsi_team = enabled
delete_itsi_team = enabled

# Service Template
read_itsi_base_service_template = enabled
write_itsi_base_service_template = enabled
delete_itsi_base_service_template = enabled

# Backup Restore
read_itsi_backup_restore = enabled
write_itsi_backup_restore = enabled
delete_itsi_backup_restore = enabled

# KPI Threshold Template
read_itsi_kpi_threshold_template = enabled
write_itsi_kpi_threshold_template = enabled
delete_itsi_kpi_threshold_template = enabled

# KPI Entity Thresholds
read_itsi_kpi_entity_threshold = enabled
write_itsi_kpi_entity_threshold = enabled
delete_itsi_kpi_entity_threshold = enabled

# KPI Base Searches
read_itsi_kpi_base_search = enabled
write_itsi_kpi_base_search = enabled
delete_itsi_kpi_base_search = enabled

# Correlation Search
read_itsi_correlation_search = enabled
write_itsi_correlation_search = enabled
delete_itsi_correlation_search = enabled
interact_with_itsi_correlation_search = enabled

# Notable Events
read_notable_event = enabled
# Note that index delete settings (delete_by_keyword) is closely tied to
# write_notable_event and delete_notable_event capabilities
write_notable_event = enabled
delete_notable_event = enabled

# Episode actions
read_notable_event_action = enabled
execute_notable_event_action = enabled

# Email Template
read_itsi_notable_event_email_template = enabled
write_itsi_notable_event_email_template = enabled
delete_itsi_notable_event_email_template = enabled

# Maintenance Services
read_maintenance_calendar = enabled
write_maintenance_calendar = enabled
delete_maintenance_calendar = enabled

# ITSI Module Interface
read_module_interface = enabled
write_module_interface = enabled
delete_module_interface = enabled

# Capability for CSV Import mod input
edit_modinput_itsi_csv_import = enabled

# Entity Management Policies
read_itsi_entity_management_policies = enabled
write_itsi_entity_management_policies = enabled
delete_itsi_entity_management_policies = enabled

# Custom Threshold Window
read_itsi_custom_threshold_windows = enabled
write_itsi_custom_threshold_windows = enabled
delete_itsi_custom_threshold_windows = enabled

# Custom Threshold Window Activity
read_itsi_custom_threshold_windows_activity = enabled
write_itsi_custom_threshold_windows_activity = enabled
delete_itsi_custom_threshold_windows_activity = enabled

# Content Pack Authorship
read_itsi_content_pack_authorship = enabled
write_itsi_content_pack_authorship = enabled
delete_itsi_content_pack_authorship = enabled

# Entity Discovery Searches
read_itsi_entity_discovery_searches = enabled
write_itsi_entity_discovery_searches = enabled

# Upgrade Readiness Precheck
read_itsi_upgrade_readiness_prechecks = enabled
write_itsi_upgrade_readiness_prechecks = enabled
delete_itsi_upgrade_readiness_prechecks = enabled

# ITSI Sandbox
read_itsi_sandbox = enabled
write_itsi_sandbox = enabled
delete_itsi_sandbox = enabled

# ITSI Sandbox Service
read_itsi_sandbox_service = enabled
write_itsi_sandbox_service = enabled
delete_itsi_sandbox_service = enabled

# ITSI Sandbox Sync Log
read_itsi_sandbox_sync_log = enabled
write_itsi_sandbox_sync_log = enabled
delete_itsi_sandbox_sync_log = enabled

# ITSI Admin Console
read_itsi_admin_console = enabled
write_itsi_admin_console = enabled

# Refresh Queue Job
read_itsi_refresh_queue_job = enabled
write_itsi_refresh_queue_job = enabled
delete_itsi_refresh_queue_job = enabled

# Data Integration
read_itsi_data_integration = enabled
write_itsi_data_integration = enabled
delete_itsi_data_integration = enabled

# KPI AT Info
read_itsi_kpi_at_info = enabled
write_itsi_kpi_at_info = enabled
delete_itsi_kpi_at_info = enabled

# Episode Export 
read_itsi_event_management_export = enabled
write_itsi_event_management_export = enabled
delete_itsi_event_management_export = enabled

## ITOA Team Admin
## The ITOA team admin role inherits itoa_analyst;power;itoa_user;user roles
## This allows users assigned to the role itoa_team_admin role to perform all capabilities of a itoa_analyst and itoa_user
[role_itoa_team_admin]
importRoles = itoa_analyst;power;user;metric_ad_admin

## Core dependent capabilities
# Capabilities copied from Splunk admin role to enable write permissions
list_storage_passwords = enabled

# Add capability to lookup settings (regular and search head)
# Search head configuration is used by ITSI modular inputs
list_search_head_clustering = enabled
list_settings = enabled

rtsearch = enabled

# For event management
edit_token_http = enabled

## ITSI specific/controlled capabilities

# Notable Event Rules Engine
read_itsi_notable_aggregation_policy = enabled
write_itsi_notable_aggregation_policy = enabled
delete_itsi_notable_aggregation_policy = enabled
interact_with_itsi_notable_aggregation_policy = enabled

# Set Role Based Access Control
configure_perms = enabled

# Glass Table
read_itsi_glass_table = enabled
write_itsi_glass_table = enabled
delete_itsi_glass_table = enabled
interact_with_itsi_glass_table = enabled

# Deep Dive
read_itsi_deep_dive = enabled
write_itsi_deep_dive = enabled
delete_itsi_deep_dive = enabled
interact_with_itsi_deep_dive = enabled
read_itsi_deep_dive_context = enabled
write_itsi_deep_dive_context = enabled
delete_itsi_deep_dive_context = enabled
interact_with_itsi_deep_dive_context = enabled

# Service Analyzer
read_itsi_homeview = enabled
write_itsi_homeview = enabled
delete_itsi_homeview = enabled
interact_with_itsi_homeview = enabled

# Event Management State
read_itsi_event_management_state = enabled
write_itsi_event_management_state = enabled
delete_itsi_event_management_state = enabled

# Temporary KPI
read_itsi_temporary_kpi = enabled
write_itsi_temporary_kpi = enabled
delete_itsi_temporary_kpi = enabled

# KPI State Cache
read_itsi_kpi_state_cache = enabled
write_itsi_kpi_state_cache = enabled
delete_itsi_kpi_state_cache = enabled

# Service
read_itsi_service = enabled
write_itsi_service = enabled
delete_itsi_service = enabled
bulk_import_service_or_entity = enabled

# Drift detection templates
write_itsi_drift_detection_template = enabled
read_itsi_drift_detection_template = enabled
delete_itsi_drift_detection_template = enabled

# Teams
read_itsi_team = enabled

# KPI Threshold Template
read_itsi_kpi_threshold_template = enabled
write_itsi_kpi_threshold_template = enabled
delete_itsi_kpi_threshold_template = enabled

# KPI Entity Thresholds
read_itsi_kpi_entity_threshold = enabled
write_itsi_kpi_entity_threshold = enabled
delete_itsi_kpi_entity_threshold = enabled

# KPI Base Searches
read_itsi_kpi_base_search = enabled
write_itsi_kpi_base_search = enabled
delete_itsi_kpi_base_search = enabled

# Correlation Search
read_itsi_correlation_search = enabled
write_itsi_correlation_search = enabled
delete_itsi_correlation_search = enabled
interact_with_itsi_correlation_search = enabled

# Notable Events
read_notable_event = enabled
# Note that index delete settings (delete_by_keyword) is closely tied to
# write_notable_event and delete_notable_event capabilities
write_notable_event = enabled
delete_notable_event = enabled

# Service Templates
read_itsi_base_service_template = enabled

# Episode actions
read_notable_event_action = enabled
execute_notable_event_action = enabled

# Email Template
read_itsi_notable_event_email_template = enabled
write_itsi_notable_event_email_template = enabled
delete_itsi_notable_event_email_template = enabled

# Maintenance Services
read_maintenance_calendar = enabled
write_maintenance_calendar = enabled
delete_maintenance_calendar = enabled

# ITSI Module Interface
read_module_interface = enabled
write_module_interface = enabled
delete_module_interface = enabled

# Entity Management Policies
read_itsi_entity_management_policies = enabled

# Entity Discovery Searches
read_itsi_entity_discovery_searches = enabled

# Custom Threshold Windows
read_itsi_custom_threshold_windows = enabled
write_itsi_custom_threshold_windows = enabled
delete_itsi_custom_threshold_windows = enabled

# Custom Threshold Window Activity
read_itsi_custom_threshold_windows_activity = enabled
write_itsi_custom_threshold_windows_activity = enabled
delete_itsi_custom_threshold_windows_activity = enabled

# ITSI Sandbox
read_itsi_sandbox = enabled
write_itsi_sandbox = enabled

# ITSI Sandbox Service
read_itsi_sandbox_service = enabled
write_itsi_sandbox_service = enabled
delete_itsi_sandbox_service = enabled

# ITSI Sandbox Sync Log
read_itsi_sandbox_sync_log = enabled
write_itsi_sandbox_sync_log = enabled

# Refresh Queue Job
read_itsi_refresh_queue_job = enabled
write_itsi_refresh_queue_job = enabled
delete_itsi_refresh_queue_job = enabled

# Data Integration
read_itsi_data_integration = enabled
write_itsi_data_integration = enabled
delete_itsi_data_integration = enabled

# KPI AT Info
read_itsi_kpi_at_info = enabled
write_itsi_kpi_at_info = enabled
delete_itsi_kpi_at_info = enabled

# Episode Export 
read_itsi_event_management_export = enabled
write_itsi_event_management_export = enabled
delete_itsi_event_management_export = enabled

## ITOA Analyst
## The ITOA analyst role inherits power;itoa_user;user roles
## This allows users assigned to the itoa_analyst role to perform all capabilities of a power Splunk user as well as itoa_user
## The itoa_analyst role can own notable events and perform all transitions
[role_itoa_analyst]
importRoles = itoa_user;power;user;user_ad_user

## Core dependent capabilities
list_storage_passwords = enabled

rtsearch = enabled

# For event management
edit_token_http = enabled

## ITSI specific/controlled capabilities

# Glass Table
read_itsi_glass_table = enabled
write_itsi_glass_table = enabled
delete_itsi_glass_table = enabled
interact_with_itsi_glass_table = enabled

# Deep Dive
read_itsi_deep_dive = enabled
write_itsi_deep_dive = enabled
delete_itsi_deep_dive = enabled
interact_with_itsi_deep_dive = enabled
read_itsi_deep_dive_context = enabled
write_itsi_deep_dive_context = enabled
delete_itsi_deep_dive_context = enabled
interact_with_itsi_deep_dive_context = enabled

# Service
read_itsi_service = enabled

# Drift detection templates
write_itsi_drift_detection_template = enabled
read_itsi_drift_detection_template = enabled
delete_itsi_drift_detection_template = enabled

# Teams
read_itsi_team = enabled

# Service Template
read_itsi_base_service_template = enabled

# KPI Threshold Template
read_itsi_kpi_threshold_template = enabled

# KPI Base Searches
read_itsi_kpi_base_search = enabled

# Service Analyzer
read_itsi_homeview = enabled
write_itsi_homeview = enabled
delete_itsi_homeview = enabled
interact_with_itsi_homeview = enabled

# Event Management State
read_itsi_event_management_state = enabled
write_itsi_event_management_state = enabled
delete_itsi_event_management_state = enabled

# Temporary KPI
read_itsi_temporary_kpi = enabled
write_itsi_temporary_kpi = enabled
delete_itsi_temporary_kpi = enabled

# KPI State Cache
read_itsi_kpi_state_cache = enabled

# Correlation Search
read_itsi_correlation_search = enabled

# Notable Event Rules Engine
read_itsi_notable_aggregation_policy = enabled

# Notable Events
read_notable_event = enabled
# Note that index delete settings (delete_by_keyword) is closely tied to
# write_notable_event and delete_notable_event capabilities
write_notable_event = enabled
delete_notable_event = enabled

# Episode actions
read_notable_event_action = enabled
execute_notable_event_action = enabled

# Email Template
read_itsi_notable_event_email_template = enabled
write_itsi_notable_event_email_template = enabled
delete_itsi_notable_event_email_template = enabled

# Maintenance Services
read_maintenance_calendar = enabled

# Entity Management Policies
read_itsi_entity_management_policies = enabled

# Entity Discovery Searches
read_itsi_entity_discovery_searches = enabled

# Refresh Queue Job
read_itsi_refresh_queue_job = enabled
write_itsi_refresh_queue_job = enabled
delete_itsi_refresh_queue_job = enabled

# Data Integration
read_itsi_data_integration = enabled

# Episode Export 
read_itsi_event_management_export = enabled
write_itsi_event_management_export = enabled
delete_itsi_event_management_export = enabled

## ITOA User
## The ITOA user role inherits user role
## This allows users assigned to the itoa_user role to perform all capabilities of a Splunk user
## The itoa_user role can also perform RT search
[role_itoa_user]
importRoles = user;user_ad_user

## ITSI specific/controlled capabilities

# Backup Restore
read_itsi_backup_restore = enabled

# Glass Table
read_itsi_glass_table = enabled
interact_with_itsi_glass_table = enabled

# Deep Dive
read_itsi_deep_dive = enabled
interact_with_itsi_deep_dive = enabled
read_itsi_deep_dive_context = enabled
write_itsi_deep_dive_context = enabled
delete_itsi_deep_dive_context = enabled
interact_with_itsi_deep_dive_context = enabled

# Service
read_itsi_service = enabled

# Drift detection templates
write_itsi_drift_detection_template = enabled
read_itsi_drift_detection_template = enabled
delete_itsi_drift_detection_template = enabled

# Teams
read_itsi_team = enabled

# Service Template
read_itsi_base_service_template = enabled

# KPI Threshold Template
read_itsi_kpi_threshold_template = enabled

# KPI Base Searches
read_itsi_kpi_base_search = enabled

# Service Analyzer
read_itsi_homeview = enabled
write_itsi_homeview = enabled
delete_itsi_homeview = enabled
interact_with_itsi_homeview = enabled

# Event Management State
read_itsi_event_management_state = enabled
write_itsi_event_management_state = enabled
delete_itsi_event_management_state = enabled
interact_with_itsi_event_management_state = enabled

# Temporary KPI
read_itsi_temporary_kpi = enabled
write_itsi_temporary_kpi = enabled
delete_itsi_temporary_kpi = enabled

# KPI State Cache
read_itsi_kpi_state_cache = enabled

# Correlation Search
read_itsi_correlation_search = enabled

# Notable Events
read_notable_event = enabled

# Episode actions
read_notable_event_action = enabled

# Maintenance Services
read_maintenance_calendar = enabled

# Entity Management Policies
read_itsi_entity_management_policies = enabled

# ITSI Sandbox
read_itsi_sandbox = enabled

# ITSI Sandbox Service
read_itsi_sandbox_service = enabled

# ITSI Sandbox Sync Log
read_itsi_sandbox_sync_log = enabled

# Entity Discovery Searches
read_itsi_entity_discovery_searches = enabled

# Refresh Queue Job
read_itsi_refresh_queue_job = enabled
write_itsi_refresh_queue_job = enabled
delete_itsi_refresh_queue_job = enabled