Security Permissions

Two custom roles are created as part of the installation. These are assigned the capabilities and object level permissions required to use the Prelert Anomaly Detective App for Splunk:

  • prelert_user - can manually manage insights (create, add anomalies from clipboard, merge, remove anomalies, delete).
  • prelert_power - can manage anomaly searches and insight monitors.

The Splunk admin role is typically required for installing and upgrading.

Area Actions Role Capabilities [1]
Results
  • View Anomaly Search Results
  • View Entity View
  • View Anomaly Explorer
  • View Insights
  • View comments
  • View the list of Anomaly Searches
  • View the list of Insight Monitors
  • Run Evaluation Mode
  • Run Timechart Mode
user  
Clipboard
  • Add to clipboard
  • Delete from clipboard
user  
  • Save as new Insight
prelert_user
  • edit_tcp
Insights
  • Edit status, description, score
  • Import clipboard
  • Remove anomalies from Insight
  • Merge Insights
  • Delete Insight
prelert_user
  • edit_tcp
Comments
  • Add
  • Edit
  • Delete
prelert_user  
Summary Emails
  • Create
  • Edit
  • Test
  • Clone
  • Delete
  • Start
  • Stop
prelert_power
  • prelert_write_summary_config
  • schedule_search
Insight Monitors
  • Create
  • Edit
  • Clone
  • Delete [2]
  • Start
  • Stop
  • Kill lookback
prelert_power
  • edit_scripted
  • edit_tcp
  • prelert_write_autoinsight_config
  • schedule_search
Anomaly Searches
  • Create
  • Edit
  • Clone
  • Delete [3]
  • Start
  • Stop
  • Kill lookback
prelert_power
  • edit_scripted
  • edit_tcp
  • prelert_write_fields_config
  • prelert_write_realtime_config
  • schedule_search
  • Reset
can_delete and prelert_power
  • delete_by_keyword [4]
  • edit_scripted
Admin Functions
  • Install
  • Upgrade
admin
  • rest_apps_management
  • Apply license
  • Toggle upgrade mode
admin
  • admin_all_objects
[1]The capabilities that the Splunk user role has by default are also required.
[2]If run, an Insight Monitor will have associated results stored in the prelertresults index. It is expected that most users will not have the delete_by_keyword capability required to delete from a Splunk index, therefore by selecting delete we hide the results and prevent them from being displayed. We also stop the monitor name from being re-used in future. Users who delete a monitor without the delete_by_keyword capability will see a warning message explaining this. This is expected. In this case, the results will not be accessible from the UI, even though they continue to exist in the prelertresults index.
[3]The previous footnote also applies to Anomaly Searches.
[4]The option to “reset” an Anomaly Search is hidden from view for users without the delete_by_keyword capability.

Warning

Be aware that if you have changed the app access permissions in an older version of Anomaly Detective, you may have local metadata settings that disallow access for the new prelert_power and prelert_user roles defined in Anomaly Detective 4.2. If this is the case you may need to add the prelert_power and prelert_user roles to your customized access settings for Anomaly Detective before they work as intended. It is recommended that you remove any custom write access roles from any pre-existing local.meta file and redefine access using the new Prelert roles. This will reduce the risk of subsequent upgrades introducing further permissions problems.

Write access to the Prelert KV store collections is now limited to the admin, prelert_user and prelert_power roles.

This page

Browse

You are here