Release Notes

Splunk Enterprise

Configure automated user provisioning, role assignment, and account management for Splunk Enterprise using Veza Lifecycle Management

Overview

Lifecycle Management for Splunk Enterprise automates user identity and access operations, enabling:

  • Automated user account creation and updates

  • Role assignment and removal for access management

  • User account deletion for offboarding

  • Attribute synchronization for user profiles

Use this integration with Veza Lifecycle Management to:

  • Onboard users: Automatically create Splunk Enterprise accounts with initial role assignments

  • Manage access: Add or remove role memberships based on access policies

  • Offboard users: Delete accounts when users leave the organization

  • Update profiles: Synchronize user attributes like email and display name

Splunk Enterprise supports the following Lifecycle Management actions:

Action Type

Description

Supported Operations

Sync Identities

Create or update user accounts

Create, Update

Manage Relationships

Assign or remove role memberships

Add, Remove

Delete Identity

Permanently delete user accounts

Delete

Note: Splunk Enterprise does not support the Deprovision Identity action for disabling or locking user accounts. The Splunk API only supports permanent deletion via the Delete Identity action. To offboard users while maintaining audit records, use the Delete Identity action, which preserves activity logs even after account deletion.

Refer to the Lifecycle Management Overview for more information about creating policy-based provisioning workflows with Veza.

Prerequisites

Before enabling Lifecycle Management for Splunk Enterprise, you will need:

  1. An Existing Integration: Add a Splunk Enterprise integration and complete at least one successful extraction. See Splunk Enterprise integration.

  2. Sufficient Permissions for Lifecycle Management: The Veza service account needs write capabilities beyond read-only access:

Capability

Required For

edit_user

SYNC_IDENTITIES, DELETE_IDENTITY

edit_roles_grantable or edit_roles

MANAGE_RELATIONSHIPS

The edit_user capability grants permission to create, modify, and delete any user account in Splunk Enterprise. Ensure this service account is properly secured and monitored.

Enable Lifecycle Management

To enable the Splunk Enterprise integration for Lifecycle Management:

  1. In Veza, navigate to Integrations

  2. Locate your Splunk Enterprise integration

  3. Open the integration details

  4. Enable Usage for Lifecycle Management

  5. Verify the integration appears in Lifecycle Management > Integrations

See Managing Integrations for more information on configuring integrations for Lifecycle Management.

Supported Actions

Sync Identities

Creates new user accounts or updates existing user attributes in Splunk Enterprise.

Capabilities:

  • Create New Users: Yes

  • Update Existing Users: Yes

  • Entity Type: Splunk Enterprise User

Required Attributes

Attribute

Type

Description

Example

name

String

Username (unique identifier, lowercase alphanumeric recommended)

jsmith

email

String

Primary email address (required for user creation)

[email protected]

password

String

User password (required for create operations)

SecurePass123!

Optional Attributes

Attribute

Type

Description

Default

realname

String

User's display name or full name

Uses name if not provided

When creating a new user:

  • The name attribute becomes the unique username (must be unique within the Splunk Enterprise instance)

  • Both email and password are required for user creation. The password must meet your Splunk Enterprise deployment's password complexity requirements, which are configured by your Splunk administrator (e.g., minimum length, required character types).

  • If realname is not provided, it defaults to the name value

  • New users are automatically assigned the default user role (Splunk requires at least one role). You can use MANAGE_RELATIONSHIPS to grant additional role assignments

When updating an existing user:

  • Only the attributes specified in the update request are modified

  • Other attributes remain unchanged

  • The name attribute is used to identify the user, but cannot be changed

  • Password updates are supported, but require providing the new password value

Manage Relationships

Assigns or removes role memberships for Splunk Enterprise users.

Supported Relationship Types:

Relationship

Description

User → Role

Assign or remove a role for a user.

Splunk Enterprise implements a role relationship manager that:

  • Adds roles to users by updating the user's role list

  • Removes roles from users by updating the user's role list

  • Validates that the target role exists before assignment

  • Preserves all other assigned roles when adding or removing a single role

Only existing roles can be assigned. Splunk Enterprise groups (LDAP and SAML) are read-only and managed by external identity providers. Lifecycle Management cannot create or modify groups or create new roles.

How Relationships Work

When Adding a Role:

  1. Veza retrieves the user's current role assignments

  2. Checks if the role is already assigned (skips if already assigned)

  3. Adds the new role to the user's role list

  4. Updates the user with the complete role list

When Removing a Role:

  1. Veza retrieves the user's current role assignments

  2. Checks if the role is currently assigned (skips if not assigned)

  3. Removes the target role from the user's role list

  4. Updates the user with the remaining roles

Notes:

  • Users must have at least one role in Splunk Enterprise

  • Removing a user's last role assignment will fail

  • Role assignments are direct. A role may contain inherited roles depending on Splunk's role inheritance configuration.

  • Built-in roles (e.g., admin, user, power) can be assigned and removed

  • Custom roles created in Splunk Enterprise are also supported

Delete Identity

Permanently deletes user accounts from Splunk Enterprise. Note that Splunk Enterprise does not have a native "disabled" or "locked" state for accounts (except lock-out).

Delete Method: The account and all associated data are permanently removed from Splunk Enterprise.

Required Attributes

Attribute

Type

Description

name

String

Username of the account to delete

Delete Behavior

When deleting a user:

  • The user account is permanently removed

  • All role assignments are removed as part of the deletion

  • User-owned objects (saved searches, dashboards, etc.) may be affected based on Splunk configuration

  • The username can be reused for a new user after deletion

User deletion is permanent and cannot be undone through the API. While Splunk administrators can view audit logs to access deleted user records, consider removing role assignments (using MANAGE_RELATIONSHIPS) for temporary access revocations. Built-in system accounts (e.g., admin) cannot be deleted.

Example Workflows

Onboarding New Users

  1. Create User Account (SYNC_IDENTITIES): Provide a name, email, password, and optionally realname. The user is created with the default user role.

  2. Assign Roles (MANAGE_RELATIONSHIPS): Add role assignments based on job function.

Modifying Access

  • Add Role (MANAGE_RELATIONSHIPS): Add a role assignment to the user

  • Remove Role (MANAGE_RELATIONSHIPS): Remove role assignment from the user

Employee Offboarding

  • Revoke Access (Reversible): Remove all elevated roles via MANAGE_RELATIONSHIPS, leaving only the base user role.

  • Delete Account (Permanent): Use DELETE_IDENTITY to remove a user account permanently.

Updating User Profile

  • Use SYNC_IDENTITIES to update a user's email, realname, or password. Provide the name to identify the user; only the specified attributes are updated.

Related Documentation

PreviousSnowflakeNextWorkday

Last updated

Was this helpful?