You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
628 lines
17 KiB
628 lines
17 KiB
###### ITSI authorize.conf ######
|
|
|
|
[capability::edit_itsi_modules_conf]
|
|
disabled = 0
|
|
|
|
#####################
|
|
## Roles
|
|
#####################
|
|
|
|
## Splunk Admin
|
|
## The Splunk admin role inherits itoa_admin;itoa_analyst;itoa_user;power;user roles
|
|
## This allows users associated with the admin role to administer itoa out of the box
|
|
[role_admin]
|
|
importRoles = itoa_admin;itoa_analyst;itoa_user;power;user
|
|
|
|
## increase disk quota for admin role to 25GB
|
|
srchDiskQuota = 25000
|
|
|
|
|
|
## ITOA Admin
|
|
## The ITOA admin role inherits itoa_analyst;power;itoa_user;user roles
|
|
## This allows users assigned to the itoa_admin role to perform all capabilities of an itoa_team_admin, itoa_analyst and itoa_user
|
|
[role_itoa_admin]
|
|
importRoles = itoa_team_admin;power;user;metric_ad_admin
|
|
|
|
edit_itsi_modules_conf = enabled
|
|
|
|
## Core dependent capabilities
|
|
# Capabilities copied from Splunk admin role to enable write permissions
|
|
list_storage_passwords = enabled
|
|
|
|
# Add capability to lookup settings (regular and search head)
|
|
# Search head configuration is used by ITSI modular inputs
|
|
list_search_head_clustering = enabled
|
|
list_settings = enabled
|
|
|
|
rtsearch = enabled
|
|
|
|
# For event management
|
|
edit_token_http = enabled
|
|
|
|
## ITSI specific/controlled capabilities
|
|
|
|
# Notable Event Rules Engine
|
|
read_itsi_notable_aggregation_policy = enabled
|
|
write_itsi_notable_aggregation_policy = enabled
|
|
delete_itsi_notable_aggregation_policy = enabled
|
|
interact_with_itsi_notable_aggregation_policy = enabled
|
|
edit_default_itsi_notable_aggregation_policy = enabled
|
|
|
|
# Set Role Based Access Control
|
|
configure_perms = enabled
|
|
|
|
# Glass Table
|
|
read_itsi_glass_table = enabled
|
|
write_itsi_glass_table = enabled
|
|
delete_itsi_glass_table = enabled
|
|
interact_with_itsi_glass_table = enabled
|
|
|
|
# Deep Dive
|
|
read_itsi_deep_dive = enabled
|
|
write_itsi_deep_dive = enabled
|
|
delete_itsi_deep_dive = enabled
|
|
interact_with_itsi_deep_dive = enabled
|
|
read_itsi_deep_dive_context = enabled
|
|
write_itsi_deep_dive_context = enabled
|
|
delete_itsi_deep_dive_context = enabled
|
|
interact_with_itsi_deep_dive_context = enabled
|
|
|
|
# Service Analyzer
|
|
read_itsi_homeview = enabled
|
|
write_itsi_homeview = enabled
|
|
delete_itsi_homeview = enabled
|
|
interact_with_itsi_homeview = enabled
|
|
|
|
# Event Management State
|
|
read_itsi_event_management_state = enabled
|
|
write_itsi_event_management_state = enabled
|
|
delete_itsi_event_management_state = enabled
|
|
interact_with_itsi_event_management_state = enabled
|
|
|
|
# Temporary KPI
|
|
read_itsi_temporary_kpi = enabled
|
|
write_itsi_temporary_kpi = enabled
|
|
delete_itsi_temporary_kpi = enabled
|
|
|
|
# KPI State Cache
|
|
read_itsi_kpi_state_cache = enabled
|
|
write_itsi_kpi_state_cache = enabled
|
|
delete_itsi_kpi_state_cache = enabled
|
|
|
|
# Service
|
|
read_itsi_service = enabled
|
|
write_itsi_service = enabled
|
|
delete_itsi_service = enabled
|
|
bulk_import_service_or_entity = enabled
|
|
|
|
# Drift detection templates
|
|
write_itsi_drift_detection_template = enabled
|
|
read_itsi_drift_detection_template = enabled
|
|
delete_itsi_drift_detection_template = enabled
|
|
|
|
# Teams
|
|
read_itsi_team = enabled
|
|
write_itsi_team = enabled
|
|
delete_itsi_team = enabled
|
|
|
|
# Service Template
|
|
read_itsi_base_service_template = enabled
|
|
write_itsi_base_service_template = enabled
|
|
delete_itsi_base_service_template = enabled
|
|
|
|
# Backup Restore
|
|
read_itsi_backup_restore = enabled
|
|
write_itsi_backup_restore = enabled
|
|
delete_itsi_backup_restore = enabled
|
|
|
|
# KPI Threshold Template
|
|
read_itsi_kpi_threshold_template = enabled
|
|
write_itsi_kpi_threshold_template = enabled
|
|
delete_itsi_kpi_threshold_template = enabled
|
|
|
|
# KPI Entity Thresholds
|
|
read_itsi_kpi_entity_threshold = enabled
|
|
write_itsi_kpi_entity_threshold = enabled
|
|
delete_itsi_kpi_entity_threshold = enabled
|
|
|
|
# KPI Base Searches
|
|
read_itsi_kpi_base_search = enabled
|
|
write_itsi_kpi_base_search = enabled
|
|
delete_itsi_kpi_base_search = enabled
|
|
|
|
# Correlation Search
|
|
read_itsi_correlation_search = enabled
|
|
write_itsi_correlation_search = enabled
|
|
delete_itsi_correlation_search = enabled
|
|
interact_with_itsi_correlation_search = enabled
|
|
|
|
# Notable Events
|
|
read_notable_event = enabled
|
|
# Note that index delete settings (delete_by_keyword) is closely tied to
|
|
# write_notable_event and delete_notable_event capabilities
|
|
write_notable_event = enabled
|
|
delete_notable_event = enabled
|
|
|
|
# Episode actions
|
|
read_notable_event_action = enabled
|
|
execute_notable_event_action = enabled
|
|
|
|
# Email Template
|
|
read_itsi_notable_event_email_template = enabled
|
|
write_itsi_notable_event_email_template = enabled
|
|
delete_itsi_notable_event_email_template = enabled
|
|
|
|
# Maintenance Services
|
|
read_maintenance_calendar = enabled
|
|
write_maintenance_calendar = enabled
|
|
delete_maintenance_calendar = enabled
|
|
|
|
# ITSI Module Interface
|
|
read_module_interface = enabled
|
|
write_module_interface = enabled
|
|
delete_module_interface = enabled
|
|
|
|
# Capability for CSV Import mod input
|
|
edit_modinput_itsi_csv_import = enabled
|
|
|
|
# Entity Management Policies
|
|
read_itsi_entity_management_policies = enabled
|
|
write_itsi_entity_management_policies = enabled
|
|
delete_itsi_entity_management_policies = enabled
|
|
|
|
# Custom Threshold Window
|
|
read_itsi_custom_threshold_windows = enabled
|
|
write_itsi_custom_threshold_windows = enabled
|
|
delete_itsi_custom_threshold_windows = enabled
|
|
|
|
# Custom Threshold Window Activity
|
|
read_itsi_custom_threshold_windows_activity = enabled
|
|
write_itsi_custom_threshold_windows_activity = enabled
|
|
delete_itsi_custom_threshold_windows_activity = enabled
|
|
|
|
# Content Pack Authorship
|
|
read_itsi_content_pack_authorship = enabled
|
|
write_itsi_content_pack_authorship = enabled
|
|
delete_itsi_content_pack_authorship = enabled
|
|
|
|
# Entity Discovery Searches
|
|
read_itsi_entity_discovery_searches = enabled
|
|
write_itsi_entity_discovery_searches = enabled
|
|
|
|
# Upgrade Readiness Precheck
|
|
read_itsi_upgrade_readiness_prechecks = enabled
|
|
write_itsi_upgrade_readiness_prechecks = enabled
|
|
delete_itsi_upgrade_readiness_prechecks = enabled
|
|
|
|
# ITSI Sandbox
|
|
read_itsi_sandbox = enabled
|
|
write_itsi_sandbox = enabled
|
|
delete_itsi_sandbox = enabled
|
|
|
|
# ITSI Sandbox Service
|
|
read_itsi_sandbox_service = enabled
|
|
write_itsi_sandbox_service = enabled
|
|
delete_itsi_sandbox_service = enabled
|
|
|
|
# ITSI Sandbox Sync Log
|
|
read_itsi_sandbox_sync_log = enabled
|
|
write_itsi_sandbox_sync_log = enabled
|
|
delete_itsi_sandbox_sync_log = enabled
|
|
|
|
# ITSI Admin Console
|
|
read_itsi_admin_console = enabled
|
|
write_itsi_admin_console = enabled
|
|
|
|
# Refresh Queue Job
|
|
read_itsi_refresh_queue_job = enabled
|
|
write_itsi_refresh_queue_job = enabled
|
|
delete_itsi_refresh_queue_job = enabled
|
|
|
|
# Data Integration
|
|
read_itsi_data_integration = enabled
|
|
write_itsi_data_integration = enabled
|
|
delete_itsi_data_integration = enabled
|
|
|
|
# KPI AT Info
|
|
read_itsi_kpi_at_info = enabled
|
|
write_itsi_kpi_at_info = enabled
|
|
delete_itsi_kpi_at_info = enabled
|
|
|
|
# Episode Export
|
|
read_itsi_event_management_export = enabled
|
|
write_itsi_event_management_export = enabled
|
|
delete_itsi_event_management_export = enabled
|
|
|
|
## ITOA Team Admin
|
|
## The ITOA team admin role inherits itoa_analyst;power;itoa_user;user roles
|
|
## This allows users assigned to the role itoa_team_admin role to perform all capabilities of a itoa_analyst and itoa_user
|
|
[role_itoa_team_admin]
|
|
importRoles = itoa_analyst;power;user;metric_ad_admin
|
|
|
|
## Core dependent capabilities
|
|
# Capabilities copied from Splunk admin role to enable write permissions
|
|
list_storage_passwords = enabled
|
|
|
|
# Add capability to lookup settings (regular and search head)
|
|
# Search head configuration is used by ITSI modular inputs
|
|
list_search_head_clustering = enabled
|
|
list_settings = enabled
|
|
|
|
rtsearch = enabled
|
|
|
|
# For event management
|
|
edit_token_http = enabled
|
|
|
|
## ITSI specific/controlled capabilities
|
|
|
|
# Notable Event Rules Engine
|
|
read_itsi_notable_aggregation_policy = enabled
|
|
write_itsi_notable_aggregation_policy = enabled
|
|
delete_itsi_notable_aggregation_policy = enabled
|
|
interact_with_itsi_notable_aggregation_policy = enabled
|
|
|
|
# Set Role Based Access Control
|
|
configure_perms = enabled
|
|
|
|
# Glass Table
|
|
read_itsi_glass_table = enabled
|
|
write_itsi_glass_table = enabled
|
|
delete_itsi_glass_table = enabled
|
|
interact_with_itsi_glass_table = enabled
|
|
|
|
# Deep Dive
|
|
read_itsi_deep_dive = enabled
|
|
write_itsi_deep_dive = enabled
|
|
delete_itsi_deep_dive = enabled
|
|
interact_with_itsi_deep_dive = enabled
|
|
read_itsi_deep_dive_context = enabled
|
|
write_itsi_deep_dive_context = enabled
|
|
delete_itsi_deep_dive_context = enabled
|
|
interact_with_itsi_deep_dive_context = enabled
|
|
|
|
# Service Analyzer
|
|
read_itsi_homeview = enabled
|
|
write_itsi_homeview = enabled
|
|
delete_itsi_homeview = enabled
|
|
interact_with_itsi_homeview = enabled
|
|
|
|
# Event Management State
|
|
read_itsi_event_management_state = enabled
|
|
write_itsi_event_management_state = enabled
|
|
delete_itsi_event_management_state = enabled
|
|
|
|
# Temporary KPI
|
|
read_itsi_temporary_kpi = enabled
|
|
write_itsi_temporary_kpi = enabled
|
|
delete_itsi_temporary_kpi = enabled
|
|
|
|
# KPI State Cache
|
|
read_itsi_kpi_state_cache = enabled
|
|
write_itsi_kpi_state_cache = enabled
|
|
delete_itsi_kpi_state_cache = enabled
|
|
|
|
# Service
|
|
read_itsi_service = enabled
|
|
write_itsi_service = enabled
|
|
delete_itsi_service = enabled
|
|
bulk_import_service_or_entity = enabled
|
|
|
|
# Drift detection templates
|
|
write_itsi_drift_detection_template = enabled
|
|
read_itsi_drift_detection_template = enabled
|
|
delete_itsi_drift_detection_template = enabled
|
|
|
|
# Teams
|
|
read_itsi_team = enabled
|
|
|
|
# KPI Threshold Template
|
|
read_itsi_kpi_threshold_template = enabled
|
|
write_itsi_kpi_threshold_template = enabled
|
|
delete_itsi_kpi_threshold_template = enabled
|
|
|
|
# KPI Entity Thresholds
|
|
read_itsi_kpi_entity_threshold = enabled
|
|
write_itsi_kpi_entity_threshold = enabled
|
|
delete_itsi_kpi_entity_threshold = enabled
|
|
|
|
# KPI Base Searches
|
|
read_itsi_kpi_base_search = enabled
|
|
write_itsi_kpi_base_search = enabled
|
|
delete_itsi_kpi_base_search = enabled
|
|
|
|
# Correlation Search
|
|
read_itsi_correlation_search = enabled
|
|
write_itsi_correlation_search = enabled
|
|
delete_itsi_correlation_search = enabled
|
|
interact_with_itsi_correlation_search = enabled
|
|
|
|
# Notable Events
|
|
read_notable_event = enabled
|
|
# Note that index delete settings (delete_by_keyword) is closely tied to
|
|
# write_notable_event and delete_notable_event capabilities
|
|
write_notable_event = enabled
|
|
delete_notable_event = enabled
|
|
|
|
# Service Templates
|
|
read_itsi_base_service_template = enabled
|
|
|
|
# Episode actions
|
|
read_notable_event_action = enabled
|
|
execute_notable_event_action = enabled
|
|
|
|
# Email Template
|
|
read_itsi_notable_event_email_template = enabled
|
|
write_itsi_notable_event_email_template = enabled
|
|
delete_itsi_notable_event_email_template = enabled
|
|
|
|
# Maintenance Services
|
|
read_maintenance_calendar = enabled
|
|
write_maintenance_calendar = enabled
|
|
delete_maintenance_calendar = enabled
|
|
|
|
# ITSI Module Interface
|
|
read_module_interface = enabled
|
|
write_module_interface = enabled
|
|
delete_module_interface = enabled
|
|
|
|
# Entity Management Policies
|
|
read_itsi_entity_management_policies = enabled
|
|
|
|
# Entity Discovery Searches
|
|
read_itsi_entity_discovery_searches = enabled
|
|
|
|
# Custom Threshold Windows
|
|
read_itsi_custom_threshold_windows = enabled
|
|
write_itsi_custom_threshold_windows = enabled
|
|
delete_itsi_custom_threshold_windows = enabled
|
|
|
|
# Custom Threshold Window Activity
|
|
read_itsi_custom_threshold_windows_activity = enabled
|
|
write_itsi_custom_threshold_windows_activity = enabled
|
|
delete_itsi_custom_threshold_windows_activity = enabled
|
|
|
|
# ITSI Sandbox
|
|
read_itsi_sandbox = enabled
|
|
write_itsi_sandbox = enabled
|
|
|
|
# ITSI Sandbox Service
|
|
read_itsi_sandbox_service = enabled
|
|
write_itsi_sandbox_service = enabled
|
|
delete_itsi_sandbox_service = enabled
|
|
|
|
# ITSI Sandbox Sync Log
|
|
read_itsi_sandbox_sync_log = enabled
|
|
write_itsi_sandbox_sync_log = enabled
|
|
|
|
# Refresh Queue Job
|
|
read_itsi_refresh_queue_job = enabled
|
|
write_itsi_refresh_queue_job = enabled
|
|
delete_itsi_refresh_queue_job = enabled
|
|
|
|
# Data Integration
|
|
read_itsi_data_integration = enabled
|
|
write_itsi_data_integration = enabled
|
|
delete_itsi_data_integration = enabled
|
|
|
|
# KPI AT Info
|
|
read_itsi_kpi_at_info = enabled
|
|
write_itsi_kpi_at_info = enabled
|
|
delete_itsi_kpi_at_info = enabled
|
|
|
|
# Episode Export
|
|
read_itsi_event_management_export = enabled
|
|
write_itsi_event_management_export = enabled
|
|
delete_itsi_event_management_export = enabled
|
|
|
|
## ITOA Analyst
|
|
## The ITOA analyst role inherits power;itoa_user;user roles
|
|
## This allows users assigned to the itoa_analyst role to perform all capabilities of a power Splunk user as well as itoa_user
|
|
## The itoa_analyst role can own notable events and perform all transitions
|
|
[role_itoa_analyst]
|
|
importRoles = itoa_user;power;user;user_ad_user
|
|
|
|
## Core dependent capabilities
|
|
list_storage_passwords = enabled
|
|
|
|
rtsearch = enabled
|
|
|
|
# For event management
|
|
edit_token_http = enabled
|
|
|
|
## ITSI specific/controlled capabilities
|
|
|
|
# Glass Table
|
|
read_itsi_glass_table = enabled
|
|
write_itsi_glass_table = enabled
|
|
delete_itsi_glass_table = enabled
|
|
interact_with_itsi_glass_table = enabled
|
|
|
|
# Deep Dive
|
|
read_itsi_deep_dive = enabled
|
|
write_itsi_deep_dive = enabled
|
|
delete_itsi_deep_dive = enabled
|
|
interact_with_itsi_deep_dive = enabled
|
|
read_itsi_deep_dive_context = enabled
|
|
write_itsi_deep_dive_context = enabled
|
|
delete_itsi_deep_dive_context = enabled
|
|
interact_with_itsi_deep_dive_context = enabled
|
|
|
|
# Service
|
|
read_itsi_service = enabled
|
|
|
|
# Drift detection templates
|
|
write_itsi_drift_detection_template = enabled
|
|
read_itsi_drift_detection_template = enabled
|
|
delete_itsi_drift_detection_template = enabled
|
|
|
|
# Teams
|
|
read_itsi_team = enabled
|
|
|
|
# Service Template
|
|
read_itsi_base_service_template = enabled
|
|
|
|
# KPI Threshold Template
|
|
read_itsi_kpi_threshold_template = enabled
|
|
|
|
# KPI Base Searches
|
|
read_itsi_kpi_base_search = enabled
|
|
|
|
# Service Analyzer
|
|
read_itsi_homeview = enabled
|
|
write_itsi_homeview = enabled
|
|
delete_itsi_homeview = enabled
|
|
interact_with_itsi_homeview = enabled
|
|
|
|
# Event Management State
|
|
read_itsi_event_management_state = enabled
|
|
write_itsi_event_management_state = enabled
|
|
delete_itsi_event_management_state = enabled
|
|
|
|
# Temporary KPI
|
|
read_itsi_temporary_kpi = enabled
|
|
write_itsi_temporary_kpi = enabled
|
|
delete_itsi_temporary_kpi = enabled
|
|
|
|
# KPI State Cache
|
|
read_itsi_kpi_state_cache = enabled
|
|
|
|
# Correlation Search
|
|
read_itsi_correlation_search = enabled
|
|
|
|
# Notable Event Rules Engine
|
|
read_itsi_notable_aggregation_policy = enabled
|
|
|
|
# Notable Events
|
|
read_notable_event = enabled
|
|
# Note that index delete settings (delete_by_keyword) is closely tied to
|
|
# write_notable_event and delete_notable_event capabilities
|
|
write_notable_event = enabled
|
|
delete_notable_event = enabled
|
|
|
|
# Episode actions
|
|
read_notable_event_action = enabled
|
|
execute_notable_event_action = enabled
|
|
|
|
# Email Template
|
|
read_itsi_notable_event_email_template = enabled
|
|
write_itsi_notable_event_email_template = enabled
|
|
delete_itsi_notable_event_email_template = enabled
|
|
|
|
# Maintenance Services
|
|
read_maintenance_calendar = enabled
|
|
|
|
# Entity Management Policies
|
|
read_itsi_entity_management_policies = enabled
|
|
|
|
# Entity Discovery Searches
|
|
read_itsi_entity_discovery_searches = enabled
|
|
|
|
# Refresh Queue Job
|
|
read_itsi_refresh_queue_job = enabled
|
|
write_itsi_refresh_queue_job = enabled
|
|
delete_itsi_refresh_queue_job = enabled
|
|
|
|
# Data Integration
|
|
read_itsi_data_integration = enabled
|
|
|
|
# Episode Export
|
|
read_itsi_event_management_export = enabled
|
|
write_itsi_event_management_export = enabled
|
|
delete_itsi_event_management_export = enabled
|
|
|
|
## ITOA User
|
|
## The ITOA user role inherits user role
|
|
## This allows users assigned to the itoa_user role to perform all capabilities of a Splunk user
|
|
## The itoa_user role can also perform RT search
|
|
[role_itoa_user]
|
|
importRoles = user;user_ad_user
|
|
|
|
## ITSI specific/controlled capabilities
|
|
|
|
# Backup Restore
|
|
read_itsi_backup_restore = enabled
|
|
|
|
# Glass Table
|
|
read_itsi_glass_table = enabled
|
|
interact_with_itsi_glass_table = enabled
|
|
|
|
# Deep Dive
|
|
read_itsi_deep_dive = enabled
|
|
interact_with_itsi_deep_dive = enabled
|
|
read_itsi_deep_dive_context = enabled
|
|
write_itsi_deep_dive_context = enabled
|
|
delete_itsi_deep_dive_context = enabled
|
|
interact_with_itsi_deep_dive_context = enabled
|
|
|
|
# Service
|
|
read_itsi_service = enabled
|
|
|
|
# Drift detection templates
|
|
write_itsi_drift_detection_template = enabled
|
|
read_itsi_drift_detection_template = enabled
|
|
delete_itsi_drift_detection_template = enabled
|
|
|
|
# Teams
|
|
read_itsi_team = enabled
|
|
|
|
# Service Template
|
|
read_itsi_base_service_template = enabled
|
|
|
|
# KPI Threshold Template
|
|
read_itsi_kpi_threshold_template = enabled
|
|
|
|
# KPI Base Searches
|
|
read_itsi_kpi_base_search = enabled
|
|
|
|
# Service Analyzer
|
|
read_itsi_homeview = enabled
|
|
write_itsi_homeview = enabled
|
|
delete_itsi_homeview = enabled
|
|
interact_with_itsi_homeview = enabled
|
|
|
|
# Event Management State
|
|
read_itsi_event_management_state = enabled
|
|
write_itsi_event_management_state = enabled
|
|
delete_itsi_event_management_state = enabled
|
|
interact_with_itsi_event_management_state = enabled
|
|
|
|
# Temporary KPI
|
|
read_itsi_temporary_kpi = enabled
|
|
write_itsi_temporary_kpi = enabled
|
|
delete_itsi_temporary_kpi = enabled
|
|
|
|
# KPI State Cache
|
|
read_itsi_kpi_state_cache = enabled
|
|
|
|
# Correlation Search
|
|
read_itsi_correlation_search = enabled
|
|
|
|
# Notable Events
|
|
read_notable_event = enabled
|
|
|
|
# Episode actions
|
|
read_notable_event_action = enabled
|
|
|
|
# Maintenance Services
|
|
read_maintenance_calendar = enabled
|
|
|
|
# Entity Management Policies
|
|
read_itsi_entity_management_policies = enabled
|
|
|
|
# ITSI Sandbox
|
|
read_itsi_sandbox = enabled
|
|
|
|
# ITSI Sandbox Service
|
|
read_itsi_sandbox_service = enabled
|
|
|
|
# ITSI Sandbox Sync Log
|
|
read_itsi_sandbox_sync_log = enabled
|
|
|
|
# Entity Discovery Searches
|
|
read_itsi_entity_discovery_searches = enabled
|
|
|
|
# Refresh Queue Job
|
|
read_itsi_refresh_queue_job = enabled
|
|
write_itsi_refresh_queue_job = enabled
|
|
delete_itsi_refresh_queue_job = enabled
|