Custom roles in Splunk Observability Cloud

Manage users: Create custom roles for users in Splunk Observability Cloud

Predefined roles in Splunk Observability Cloud

Splunk Observability Cloud has built-in roles and the ability to add custom roles. The four built-in roles with predefined capabilities include the following:

  • admin

  • power

  • usage

  • read_only

For general information on these predefined roles, see About roles in Splunk Observability Cloud. For more specific details on how predefined roles map to capabilities in Splunk Observability Cloud, see Splunk Observability Cloud matrix of roles and capabilities.

Prerequisites

To create custom roles, you must meet the following prerequisites:

Custom roles and cross-region connections

You can use custom roles in cross-region connections only for Splunk Cloud Platform version 10.0.2503 and later.

For Splunk Cloud Platform releases prior to 10.0.2503, you can use custom roles only if your Splunk Observability Cloud and Splunk Cloud Platform organizations are in the same region.

Custom roles and multi-org

If you have multiple Splunk Observability Cloud organizations paired with your Splunk Cloud Platform organization, you can customize a role for a specific observability organization. See Connect multiple Splunk Observability Cloud organizations for more information on a multi-org environment.

A custom role isa custom set of capabilities that the admin selects. You can use a policy to assign a capability or set of capabilities to a specific organization in a multi-org environment. See Create authorization policies in Splunk web to learn about policies in general. Follow the instructions below to attach a policy to a set of capabilities.

You can create a policy for a custom role in two ways:

  • Use the Policy management page to find or create a policy then attach it to a capability.

  • Use the Roles management page, Capabilities tab to add a policy to a specific capability.

Use the Policy management page to create a policy and attach it to a custom role by following these steps:

  1. Log in to Splunk Cloud Platform as an admin, then go to Settings > Policies.

  2. You can select an existing policy and edit it or select + Add policy then add a name.

    Note: You cannot edit the name of an existing policy. Once you name a policy, the name is permanent and you must delete the policy and create a new one to have a new name.
  3. In the Attribute field, select O11y Organization ID.
  4. In the Attribute value field, select the paired Splunk Observability Cloud organization to which you want to map this policy.

  5. Select the role and capability or capabilities you want to map to this paired Splunk Observability Cloud organization, then select Save Policy.

Use the Roles management page to attach a policy to a custom role by following these steps:

  1. Log in to Splunk Cloud Platform as an admin, then go to Settings > Roles and select the Capabilities tab.

  2. Select the plus sign ("+") next to the capability you want to map to a specific observability organization, then from the drop-down menu, select Create new policy or select an existing policy in the list.
    Warning: When you create a policy for a capability to map it to a specific organization, all other organizations effectively lose that capability. If a capability has no policies mapping it to specific organizations, the capability is, by default, accessible to all paired Splunk Observability Cloud organizations.

  3. In the Attribute field, select a Splunk Observability Cloud organization.

  4. Select the custom role you want to assign to that org in the Attribute value field.

How to create a custom role

After setting up Unified Identity and centralized user and role management, Splunk Cloud Platform is the role based access control (RBAC) store for Splunk Observability Cloud. You must create and manage all Splunk Observability Cloud roles in Splunk Cloud Platform. See Create and manage roles with Splunk Web to learn about roles in Splunk Cloud Platform.

To create a custom Splunk Observability Cloud role, follow these steps:

  1. Follow the instructions in the "Add or edit a role" section only of Create and manage roles with Splunk Web.

  2. In Splunk Cloud Platform, on Settings > Roles > Capabilities, specify the custom role capabilities by selecting any combination of capabilities from the table in the following section, Splunk Observability Cloud capabilities.
    Note: Capabilities are always additive in nature. You cannot take away the ability to do something by adding a capability. If you don't want users who hold a role to perform a certain function on your Splunk platform instance, then do not assign that role a capability that lets a user perform that function.

  3. [Recommended] Add the o11y_read_basic_ui_access and o11y_read_org_user capabilities to all custom roles to ensure users have all required baseline UI access.

    Warning: Capabilities relating to Dashboard Groups, Tokens, and Global Search require that a user also have the "o11y_admin" role. Even if a user has read, update, or delete capabilities for Dashboard Groups, Tokens, or Global Search, the user cannot utilize those capabilities without a full admin role, "o11y_admin".

Limitations

Any user with role creation and token management capabilities (capability: token_mgmt) can create a custom role or token. However, only users with the admin role can create a token with the admin role. A user can create a token for only the roles that the user has.

All users with permissions to create tokens can create RUM and Ingest tokens.

Splunk Observability Cloud capabilities

The following table lists all of the capabilities that you can add to a role to define the role's permissions in Splunk Observability Cloud:

Table 1. Splunk Observability Cloud capabilities
Capability name What it lets users assigned to this role do admin power usage read_only
ASSIGN_ROLE Grants user permission to assign a role to a given object type (e.g. NamedToken, OrgUser, or Team) X
CREATE_AUTOMATED_ARCHIVAL_EXEMPT_METRICS Grants user permission to generate automated archival exempt metrics X X
CREATE_AUTOMATED_ARCHIVAL_SETTINGS Grants user the permission to create and generate automated archival settings for the org with provided lookback and grace periods X
CREATE_BUSINESS_JOURNEY Grants user permission to create Business Journey X X
CREATE_CHART Grants user permission to create a new chart X X
CREATE_CHILD_ORG Grants user permission to create new child organization X
CREATE_CONFIG Grants user permission to create a visibility filter on APM resources X
CREATE_COST_INSIGHTS_BILLING_CREDENTIAL Grants user permission to store billing credentials in the Cost Insights app in order to fetch real cost data from cloud providers X X
CREATE_DASHBOARD Grants user permission to create a new dashboard. You must also assign the CREATE_SHAREABLE_SNAPSHOT capability to allow the user to save the dashboard X X
CREATE_DASHBOARD_DATA_LINK Grants user permission to create a dashboard data link X X
CREATE_DASHBOARD_GROUP Grants user permission to create a new dashboard group X X
CREATE_DASHBOARD_PRIVATE_AREA Grants user permission to create dashboards in a private area X X
CREATE_DEA_INSIGHTS Grants user the permission to create RUM funnels X X
CREATE_DETECTOR Grants user permission to create a detector X X
CREATE_DIMENSION Grants user permission to create a new dimension X X
CREATE_EVENT Grants user permission to create a new event X X
CREATE_FIELD_ALIASING Grants user permission to create aliases X X
CREATE_GLOBAL_DATA_LINK Grants user permission to create data links and dashboard data links X
CREATE_GOOGLE_AUTH Grants user permission to create a google domain for auth configuration X
CREATE_INTEGRATION Grants user the permission to create an integration X
CREATE_LOGS_PIPELINE Grants user permission to create a new logs pipeline with processing rules X X
CREATE_LOGS_QUERIES Grants user permission to create saved logs queries X X
CREATE_METRIC Grants user permission to create a new metric X X
CREATE_METRIC_RULESET Grants user permission to create a metric ruleset X X
CREATE_MUTING_RULE Grants user permission to create a new muting rule X X
CREATE_NAMEDTOKEN Grants user permission to create a Session or Org Token X
CREATE_NAVIGATOR Grants user permission to create a new navigator X
CREATE_ORG_EC_PAIRING Grants use permission to create the pairing between a Splunk platform and a Splunk Observability Cloud org X
CREATE_ORG_USER Grants user permission to create a new user X
CREATE_PACKAGE Grants user permission to create an SFX Package X X
CREATE_REPORT Grants user permission to create an APM report X
CREATE_ROLE Grants user permission to create a new custom role X
CREATE_SECUREAPP_ALERT Grants user permission to create AlertingActions in Secureapp X X
CREATE_SHAREABLE_SNAPSHOT Grants user permission to create a shareable snapshot of an existing chart or dashboard X X
CREATE_SLO Grants user permission to create a new service level objective X X
CREATE_SSO Grants user permission to create SSO connections X X
CREATE_SYNTHETICS_DOWNTIME_CONFIGURATION Grants user permission to create synthetic downtime configurations X X
CREATE_SYNTHETICS_PRIVATE_LOCATION Grants user permission to create synthetic private location X X
CREATE_SYNTHETICS_PRIVATE_LOCATION_TOKEN Grants user permission to create a synthetic private location token X X
CREATE_SYNTHETICS_TEST Grants user permission to create synthetic tests X X
CREATE_TAG Grants user permission to create a new tag X X
CREATE_TEAM_MANAGER Grants user permission to:

  • add members to existing teams where user is a team manager

  • create team members as team manager

  • Update existing members to team manager

  • make changes to a team irrespective of being a team manager

 X X
CREATE_TEAM_MEMBER Grants user permission to:

  • create a new team

  • add members to existing teams where user is a team manager

  • add a user to a team

  • create team members as team manager

  • make changes to a team irrespective of being a team manager

  • update existing teams

 X X
DELETE_AUTOMATED_ARCHIVAL_EXEMPT_METRICS Grants user permission to delete automated archival exempt metrics X X
DELETE_AUTOMATED_ARCHIVAL_SETTINGS Grants user the permission to delete existing automated archival setting for the org X
DELETE_BUSINESS_JOURNEY Grants user permission to delete a Business Journey X X
DELETE_CHART Grants user permission to delete an existing chart X
DELETE_CHILD_ORG Grants user the permission to delete (decommission) its child organization X
DELETE_CONFIG Grants user permission to delete APM services filters X
DELETE_COST_INSIGHTS_BILLING_CREDENTIAL Grants user permission to delete billing credentials in the Cost Insights app X X
DELETE_DASHBOARD Grants user permission to delete an existing dashboard X X
DELETE_DASHBOARD_DATA_LINK Grants user permission to delete an existing data link X X
DELETE_DASHBOARD_GROUP Grants user permission to delete an existing dashboard group X X
DELETE_DASHBOARD_PRIVATE_AREA Grants user permission to delete dashboards in private area X X
DELETE_DEA_INSIGHTS Grants user permission to delete RUM funnels X X
DELETE_DETECTOR Grants user permission to delete an existing detector X X
DELETE_DIMENSION Grants user permission to delete an existing dimension X X
DELETE_EVENT Grants user permission to delete an existing event X X
DELETE_GLOBAL_DATA_LINK Grants user permission to delete data links and dashboard data links X
DELETE_INTEGRATION Grants user permission to delete an existing integration X
DELETE_METRIC Grants user permission to delete an existing metric X X
DELETE_METRIC_RULESET Grants user permission to delete an existing metric ruleset X X
DELETE_MUTING_RULE Grants user permission to delete an existing muting rule X X
DELETE_NAMEDTOKEN Grants user permission to delete an existing named token X
DELETE_NAVIGATOR Grants user permission to delete an existing navigator X
DELETE_ORG_USER Grants user the permission to delete an existing user X
DELETE_PACKAGE Grants user permission to delete an existing SFX Package X X
DELETE_ROLE Grants user permission to delete an existing custom role X
DELETE_SAML Grants user permission to remove the SAML IDP configuration for a given user X
DELETE_SECUREAPP_ALERT Grants user permission to delete AlertingActions in Secureapp X X
DELETE_SLO Grants user permission to delete an existing Service Level Objective X
DELETE_SYNTHETICS_DOWNTIME_CONFIGURATION Grants user permission to delete synthetic downtime configurations X X
DELETE_SYNTHETICS_PRIVATE_LOCATION Grants user permission to delete synthetic private location X X
DELETE_SYNTHETICS_PRIVATE_LOCATION_TOKEN Grants user permission to delete synthetic private location token X X
DELETE_SYNTHETICS_TEST Grants user permission to delete synthetic tests X X
DELETE_TAG Grants user permission to delete an existing tag X X
DELETE_TEAM Grants user permission to delete an existing team X X
DELETE_TEAM_MEMBER Grants user permission to remove an existing team member from a team X X
EXECUTE_SIGNAL_FLOW Grants user permission to execute a SignalFlow computation using program text and params X X X X
LOGS_READ_ENTITY_MAPPINGS Grants user ability to read the generated mappings containing targeted splunk indexes X X X X
LOGS_WRITE_ENTITY_MAPPINGS Grants user ability to generate mappings for selected set of splunk indexes which are part of a connection X
PREVIEW_AUTOMATED_ARCHIVAL Grants user permission to preview the automated archival metrics X X X X
READ_AIE X
READ_ALERT Grant user permission to retrieve and display alerts X X X X
READ_ALIAS Grants user permission to read the mapping alias for the metrics X X X X
READ_APM_DATA Grants user permission to read and write APM metricsets, business workflows, and extended trace retention settings X X X X
READ_APM_PROFILING_DATA Grants the user permission to read APM profiling data sets X X X X
READ_AUTOMATED_ARCHIVAL_EXEMPT_METRICS Grants user permission to read automated archival exempted metrics X X X X
READ_AUTOMATED_ARCHIVAL_SETTINGS Grants user permission to read the automated archival settings for the org X X X X
READ_BASIC_UI_ACCESS Grants user permission to use basic user interface X X X X
READ_BUSINESS_JOURNEY Grants user permission to read a Business Journey X X X X
READ_CHART Grants user permission to retrieve and display a list of charts X X X X
READ_CHILD_ORG Grants user permission to retrieve and display its child organizations X
READ_CONFIG Grants user permission to retrieve and display APM services X X X X
READ_COST_INSIGHTS_BILLING_CREDENTIAL Grants user permission to list and view billing credentials in the Cost Insights app X X X X
READ_DASHBOARD Grants user permission to retrieve and display a list of dashboards X X X X
READ_DASHBOARD_DATA_LINK Grants user permission to read a dashboard data link X X X X
READ_DASHBOARD_GROUP Grants user permission to retrieve and display a list of dashboard groups X X X X
READ_DASHBOARD_PRIVATE_AREA Grants user permission to read dashboards in private area X X
READ_DEA_BASIC_ACCESS Grants user permission to read RUM funnels X X X X
READ_DETECTOR Grants user permission to retrieve and display detectors X X X X
READ_DIMENSION Grants user permission to retrieve and display a list of dimensions or a list of metrics X X X X
READ_DIMENSION, READ_METRIC_RULESET Grants user permission to retrieve and display a list of dimensions. Also grants user permission to retrieve and display a list of metric rulesets X X X X
READ_ENTITY Grants user permission to:

  • View the discovered entities in the data management UI

  • View the OTel collectors count in the data management UI

  • Read the discovered entities via OTel collectors in the data management UI

 X X X X
READ_EVENT Grants user permission to retrieve and display a list of events X X X X
READ_FIELD_ALIASING Grants user read access to aliases X X X X
READ_GENERAL_SETTINGS Grants user permission to read the general settings X
READ_GLOBAL_BUCKET_SEARCH Grants user permission to do a global search X X X X
READ_GLOBAL_DATA_LINK Grants user permission to read data links and dashboard data links X X X X
READ_INCIDENT Grants user permission to retrieve incidents X X X X
READ_INSIGHTS Grants user permission to read Kubernetes insights based on metric data from the last 20 seconds X X X X
READ_INTEGRATION Grants user permission to retrieve and display a list of integrations X X X X
READ_LOG_OBSERVER Grants user read access to Log Observer Connect connections, saved queries, user preferences, logs data, and indices X X X X
READ_LOGS_PIPELINE Grants user permission to view the configured logs pipeline and processing rules X X
READ_METRIC Grants user permission to retrieve and display a list of metrics X X X X
READ_METRIC_RULESET Grants user permission to retrieve and display a list of metric rulesets X X X X
READ_METRIC_USAGE Grants user permission to read metric usage for various domain objects, such as NamedTokens, Metrics, Charts, and Detectors. The user also requires read capabilities on such domain objects. X X X X
READ_METRIC, READ_METRIC_RULESET Grants user the permission to retrieve and display a list of metrics and metric rulesets X X X X
READ_MUTING_RULE Grants user permission to retrieve and display a list of muting rules X X X X
READ_NAMEDTOKEN Grants user permission to retrieve and display a list of named tokens X X
READ_NAVIGATOR Grants user permission to retrieve and display a list of navigators X X X X
READ_OPEN_API Grants user permission to retrieve the o11y OpenAPI specification document X X X X
READ_ORG_USER Grants user permission to:

  • create a new user

  • retrieve and display a list of existing users

 X X X X
READ_ORGANIZATION Grants user permission to see organization information X X X X
READ_ORGANIZATION_OVERVIEW Grants user the permission to read organization overview X
READ_ORGANIZATION_QUOTA Grants user permission to read the organization's quota settings X X X X
READ_PACKAGE Grants user permission to read SFPackages X X X X
READ_PARENT_ORG Grants user permission to retrieve and display its parent organization X
READ_PERMISSION Grants user permission to retrieve the business objects' permissions X X X X
READ_PREFERENCES Grants user permission to read users' preferences X X X X
READ_ROLE Grants user permission to retrieve and display a list of existing roles X X
READ_RUM_BASIC_ACCESS Grants user permission to:

  • get the current custom indexed tags configuration

  • get a list of all known RUM standard tags

  • get a list of all organization IDs for the realm

  • get the top apps for a given org

  • get an error summary for each fingerprint in a list of semi-colon delimited error fingerprints

  • get the Druid metric family for a given metric name

  • cancel the job for a given search job ID (Returns a 202 if the request for cancellation is accepted or a 404 if the job doesn't exist)

  • get the results for a given span search job ID

  • get exemplar session IDs from Druid for a given time range and filters, then further hydrate the session IDs with session details from Presto

  • get MTSes from Druid for a time range and filters (Timestamps in the time series represent the end time of the interval returned)

  • start a job to get exemplars for a given URL config rule

  • cancel the job for a given exemplar job ID (Returns a 202 if the request for cancellation was accepted or a 404 if the job doesn't exist)

  • get the results from the job if given an exemplar job ID

  • get the current custom indexed tags definition for a given org ID

  • get the current URL config rules object for a given org ID

  • get the current URL config version object for a given org ID

  • get normalized URLS for a given URL

  • get a list of tag values for given filters (useful for populating type-ahead lists in a UI)

  • get the session chunk belonging to a span session for given session ID and chunk batch IDs

  • get spans for a given session ID and span ID from that session and its neighboring (+/-) spans with chunk start time

  • get session summary (start time, end time, tags, and session chunks) for a given span session ID

  • get SR scripts belonging to a given SR session ID

  • get SR data for a given SR session ID, script ID and offset

  • get customer usage data for the org for a given start and end time

  • start a job to get spans that match a given start time, end time, and filters

 X X X X
READ_SECUREAPP Grants user permission to read APIs v2/secureapp/*. User can get a) the vulnerabilities associated with the packages in the running applications, b) the libraries and its details, and c) the services. X X X X
READ_SHAREABLE_SNAPSHOT Grants user permission to retrieve an existing shareable snapshot X X X X
READ_SLO Grants user permission to retrieve and display a list of objectives X X X X
READ_SSO Grants user permission to retrieve Single Sign On connection X X X X
READ_SUGGESTION Grants user permission to use suggestions for entities X X X X
READ_SYNTHETICS_DOWNTIME_CONFIGURATION Grants user permission to read synthetic downtime configurations X X X X
READ_SYNTHETICS_PRIVATE_LOCATION Grants user permission to read synthetic private location X X X X
READ_SYNTHETICS_PRIVATE_LOCATION_TOKEN Grants user permission to read synthetic private location token X X X X
READ_SYNTHETICS_TEST Grants user permission to read synthetic tests X X X X
READ_TAG Grants user permission to retrieve and display a list of tags X X X X
READ_TEAM Grants user permission to retrieve and display a list of existing teams X X X X
READ_TEAM_MEMBER Grants user permission to retrieve and display a list of existing team members X X X X
READ_USAGE Grants user permission to view subscription usage data X X X X
UPDATE_AUTOMATED_ARCHIVAL_SETTINGS Grants user permission to update existing automated archival settings for the org X
UPDATE_BASIC_UI_ACCESS Grants user permission to use basic UI X X X X
UPDATE_BUSINESS_JOURNEY Grants user permission to update Business Journey X X
UPDATE_CHART Grants user permission to make changes to an existing chart X X
UPDATE_CHILD_ORG Grants admin permission to update its child organization properties including subscription resource allocation X
UPDATE_CONFIG Grants user permission to update APM services filters X
UPDATE_DASHBOARD Grants user permission to make changes to an existing dashboard X X
UPDATE_DASHBOARD_DATA_LINK Grants user permission to change existing dashboard data links or existing data links X X
UPDATE_DASHBOARD_GROUP Grants user permission to make changes to an existing dashboard group. You must also assign the UPDATE_SHAREABLE_SNAPSHOT capability to allow the user to save the dashboard group X X
UPDATE_DASHBOARD_PRIVATE_AREA Grants user permission to update dashboards in private area X X
UPDATE_DEA_INSIGHTS Grants user permission to update RUM funnels X X
UPDATE_DETECTOR Grants user permission to make changes to an existing detector X X
UPDATE_DIMENSION Grants user permission to make changes to an existing dimension X X
UPDATE_FIELD_ALIASING Grants user permission to update or delete field aliases X X
UPDATE_GLOBAL_DATA_LINK Grants user permission to update existing data links and existing dashboard data links X X
UPDATE_GLOBAL_TEAM_MANAGER Grants user permission to:

  • create a new team

  • add members to existing teams where user is a team manager

  • add a user to a team

  • create team members as team manager

  • make changes to a team irrespective of being a team manager

  • update existing team members to team manager

 X X
UPDATE_INCIDENT Grants user permission to clear an existing incident X X
UPDATE_INTEGRATION Grants user permission to make changes to an existing integration X
UPDATE_LOGS_PIPELINE Grants user permission to update a logs pipeline with processing rules X X
UPDATE_LOGS_QUERIES Grants user permission to create, update, and delete saved logs queries X X
UPDATE_METRIC Grants user permission to make changes to an existing metric X X
UPDATE_METRIC_RULESET Grants user permission to make changes to an existing metric ruleset X X
UPDATE_METRIC_RULESET_ROUTING Grants user the permission to make changes to an existing metric ruleset's routing. X
UPDATE_MUTING_RULE Grants user permission to make changes to an existing muting rule object X X
UPDATE_NAMEDTOKEN Grants user permission to make changes to an existing named token X
UPDATE_NAVIGATOR Grants user permission to make changes to an existing navigator X
UPDATE_ORG_USER Grants user permission to make changes to an existing user X
UPDATE_ORGANIZATION Grants user permission to make changes to an existing organization's details X
UPDATE_OTEL_MIGRATION Grants user permission to run OTel migration from 1x to 2x X
UPDATE_PACKAGE Grants user permission to update an existing SFPackage X X
UPDATE_PREFERENCES Grants user permission to update the user''s preferences X X X X
UPDATE_ROLE Grants user permission to make changes to an existing role X
UPDATE_RUM_BROWSER_MAPPING_FILE Grants user permission to upload the RUM browser mapping file X X
UPDATE_RUM_CONFIG Grants user permission to:

  • update the current custom indexed tag config for the given org

  • delete a given tag for a given org ID

  • pause indexing of a specified tag and org ID

  • launch a cardinality job for a given tag and org ID to analyze the specified tag for indexing

  • Enable the tag analyzed by the current cardinality job to be indexed for a given org ID

  • restart the current cardinality job for a given org ID

  • stop the current cardinality job for a given org ID

 X
UPDATE_RUM_MOBILE_MAPPING_FILE Grants user permission to upload the RUM mobile mapping file X X
UPDATE_RUM_URL_GROUPING_RULE Grants user permission to update the current URL config object (modify, add, or remove rules) X X
UPDATE_SECUREAPP_ALERT Grants user permission to update AlertingActions in Secureapp X X
UPDATE_SERVICE_CENTRIC_VIEW_CONFIG Grants user permission to create or update an APM Services configuration for a service X X
UPDATE_SHAREABLE_SNAPSHOT Grants user permission to update an existing SFPackage X X
UPDATE_SLO Grants user permission to make changes to an existing service level objective X X
UPDATE_SYNTHETICS_DOWNTIME_CONFIGURATION Grants user permission to update synthetic downtime configurations X X
UPDATE_SYNTHETICS_TEST Grants user permission to update synthetic tests X X
UPDATE_TAG Grants user permission to make changes to an existing tag X X
UPDATE_TEAM Grants user permission to:

  • update existing teams

  • add members to existing teams where user is a team manager

  • make changes to a team irrespective of being a team manager

 X X
UPDATE_TEAM_MEMBER Grants user permission to:

  • update existing members to team manager

  • create team members as team manager

  • make changes to a team irrespective of being a team manager

 X X
WRITE_ENTITY Grants user permission to update a discovered entity in the data management UI X X