User Roles and Permissions in Cisco Security Cloud App

User Roles and Permissions in Cisco Security Cloud App

User roles help assign appropriate privileges based on each user’s responsibilities. Security Cloud App provides a range of roles with varying permission levels to support different user needs. These include standard Splunk roles, aligning with Splunk’s built-in role-based access control system.

The following table outlines the default roles and their associated permissions available in Security Cloud App.

Role

Purpose

Privileges

Admin

Role with the highest privilege in the system. It is designed for users who need complete control over system configurations, indexes, and data.

  • Full access to all functionalities, including data inputs, searches, reports, alerts, dashboards, and knowledge objects.

  • Ability to manage all users and roles, and access to all indexes.

  • Permission to configure system settings, create and manage indexes, and set up distributed environments.

  • Capable of modifying auth settings, system configurations, and forwarders.

Can_delete

A specialized role granted to users who need the ability to delete events from indexes. Typically, it is assigned temporarily due to the risks involved.

  • Can permanently delete events from indexes using the | delete search command.

  • Often combined with other roles such as, Admin, for data management tasks.

Power

Designed for advanced users who need more capabilities than regular users but do not require full administrative access.

  • Ability to create, edit, and share knowledge objects such as saved searches, dashboards, alerts, and reports.

  • Can perform real-time searches to monitor events as they occur.

  • Can schedule reports and alerts.

Splunk-system-role

Allows both administrative work and data management.

  • Full access for managing data and performing administrative tasks.

  • Can configure system settings and manage users and roles, similar to the Admin role.

  • Can access and manage data across indexes.

User

The default role for most end users. It provides access to basic search and reporting functionalities.

  • Can perform searches across the indexes to which they have access.

  • Can create and save personal reports, alerts, and dashboards, with limited sharing permissions.

  • Cannot manage users, system settings, or indexes.

In addition to the default roles, Security Cloud App provides specific roles and functionalities. The following table shows the functionalities that are allowed for each role in Security Cloud App.

Permissions

 Role

admin

can_delete

power

splunk-system-role

user

Create inputs

View inputs

Edit inputs

Delete inputs

View dashboards

Clone dashboards

Edit dashboards

Edit permissions

Search events

View indexes

Create index

Edit index

Delete index

View other users

Edit other users

Delete/Create other users

Monitoring console

Knowledge settings

Roles settings

Data settings

Report acceleration & Source types

Users and Authentication settings

Tokens

Distributed environment

Role Assignment Best Practices

To maintain security and ensure appropriate access, follow these best practices when assigning user roles:

  • Assign the admin role only to trusted administrators, as it provides full control over the system.

  • Use the can_delete role sparingly, and only for users who need deletion rights for specific maintenance tasks.

  • Grant the power role to security analysts and reporting staff so they can create and share searches, dashboards, and alerts.

  • Use the user role for general access, and modify permissions only when users need to configure inputs.

Setup Capabilities for CRUD Operations

By default, a user role doesn‘t have the required capabilities to view all apps on the Application Setup page.

Procedure

Step 1

To display all the apps that are created by the Admin inputs and their status for the user, do the following:

  1. Navigate to Settings > Roles > user.

  2. Add the following capabilities to the User role:

    1. list_storage_passwords

    2. dispatch_rest_to_indexers

  3. To show the correct status of the user, check the Included check box for the “_* (All internal indexes)” option in the Indexes tab.

Step 2

To enable a user to perform the Create, Read, Update, and Delete (CRUD) operations on an input, add the following capabilities to the User role:

  1. Read permissions:

    • list_inputs (capability to view basic inputs)

    • list_storage_passwords (capability to view inputs that have data stored to secret store)

    • dispatch_rest_to_indexers (capability to get information about index)

  2. Create and Update permissions:

    Note

     

    Before you enable these permissions, ensure that Read permissions are enabled.

    • indexes_edit (capability to create and update index)

    • edit_storage_passwords (capability to edit inputs that have data stored to secret store)

    • edit_token_http (capability to create and update http tokens)

    • edit_tokens_all (capability to create and update other tokens)

    • edit_tcp (capability to create and update tcp hosts)

    • edit_udp (capability to create and update udp hosts)

    • admin_all_objects (capability to create, edit, and delete inputs)

  3. Delete permissions (read permissions must be enabled):

    Note

     

    Before you enable these permissions, ensure that Read permissions are enabled.

    • admin_all_objects (capability to create, edit, and delete inputs)

Known Limitations for User Role Permissions in Splunk Cloud

  1. Splunk Cloud capabilities restrictions

    • dispatch_rest_to_indexers

    • edit_tcp

    • edit_udp

    As a result:

    • You cannot create Firewall ASA or Firewall Syslog inputs.

    • The Data Integrity and Resource Utilization dashboards may display incomplete data and warning messages.

  2. Sc_admin Role Limitations in Splunk Cloud

    For the sc_admin role in Splunk Cloud, the following capabilities are not enabled by default:

    • dispatch_rest_to_indexers

    • edit_token_http

    • edit_tokens_all

    As a result, the following limitations apply:

    • You cannot create Multicloud Defense, AI Defense, Isovalent, NVM, and CII inputs.

    • The Data Integrity and Resource Utilization pages may display incomplete data and warning messages.

    As a workaround:

    • Add the required capabilities directly through the application’s properties file, or

    • Contact Splunk Cloud Support to request the necessary permissions.