Delegated admin

The role hierarchy in splunk allows a user who has the ‘edit_user’  capability to create other splunk users and grant them any role including admin.  But what if you want to delegate user creation to a ‘mini-admin’ who should be able to create only users but not more admins.

Starting 6.2, we have the concept of a delegated admin, who can create users who can only belong to a pre-provided list of roles. This is a way of enforcing the principle that users can only create other users with privileges that are a subset of their own.

Let us see how this can be achieved.

Step 1 – Create a new role with the ‘edit_user’ capability and pass in an additional attribute called ‘grantable_ roles’ at the time of role creation. You can do so using  curl or ‘splunk _internal’.

Delegated_Admin_User

Here, we have created a new role called ‘delegated_admin’. A user belonging to this role can create users but these users have to belong to the user or power role.

 

Step 2 – Create a user for that role. Let us call the new user ‘delegated-admin’.

Create_delegated_admin_user

 

Step 3 – User ‘delegated_admin’ now creates new users.

Delegated_Admin_Creates_User

 

But he is prevented from creating users outside the set of ‘grantable_roles’. Thus, a delegated admin cannot build a new user with permissions that he himself does not already have.

 

delegated_admin_error

Thanks for all the snapshots – made it easy to read, follow and understand.

Jue
April 6, 2015