The role hierarchy in splunk allows a user who has the ‘edit_user’ capability to create other splunk users and grant them any role including admin. But what if you want to delegate user creation to a ‘mini-admin’ who should be able to create only users but not more admins.
Starting 6.2, we have the concept of a delegated admin, who can create users who can only belong to a pre-provided list of roles. This is a way of enforcing the principle that users can only create other users with privileges that are a subset of their own.
Let us see how this can be achieved.
Step 1 – Create a new role with the ‘edit_user’ capability and pass in an additional attribute called ‘grantable_ roles’ at the time of role creation. You can do so using curl or ‘splunk _internal’.
Here, we have created a new role called ‘delegated_admin’. A user belonging to this role can create users but these users have to belong to the user or power role.
Step 2 – Create a user for that role. Let us call the new user ‘delegated-admin’.
Step 3 – User ‘delegated_admin’ now creates new users.
But he is prevented from creating users outside the set of ‘grantable_roles’. Thus, a delegated admin cannot build a new user with permissions that he himself does not already have.