Splunk Exam SPLK-2003 Topic 17 Question 64 Discussion

Actual exam question for Splunk's SPLK-2003 exam

Question #: 64
Topic #: 17

[All SPLK-2003 Questions]

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?

AMake sure the Execute Playbook capability is removed from all roles except admin.

BPlace restricted playbooks in a second source repository that has restricted access.

CAdd a filter block to all restricted playbooks that filters for runRole = 'Admin'.

DAdd a tag with restricted access to the restricted playbooks.

Show Suggested Answer

Suggested Answer: A

To restrict playbook execution to members of the admin role within Splunk SOAR, the 'Execute Playbook' capability must be managed appropriately. This is done by ensuring that this capability is removed from all other roles except the admin role. Role-based access control (RBAC) in Splunk SOAR allows for granular permissions, which means you can configure which roles have the ability to execute playbooks, and by restricting this capability, you can control which users are able to initiate playbook runs.

by Frederick at Apr 05, 2025, 02:32 AM

Limited Time Offer

25%

Off

Get Premium SPLK-2003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Pedro

1 months ago

Option C is the way forward, no doubt. Gotta keep those playbooks in the hands of the chosen few, am I right?

upvoted 0 times

Karima

4 days ago

C) Add a filter block to all restricted playbooks that filters for runRole = 'Admin'.

upvoted 0 times

...

Bambi

13 days ago

A) Make sure the Execute Playbook capability is removed from all roles except admin.

upvoted 0 times

...

Dean

16 days ago

C) Add a filter block to all restricted playbooks that filters for runRole = 'Admin'.

upvoted 0 times

...

Shalon

2 months ago

I see both points, but I personally prefer option B. Keeping restricted playbooks in a separate repository adds an extra layer of security.

upvoted 0 times

...

Orville

2 months ago

I disagree, I think option C is more secure. Adding a filter block directly to the playbooks is more foolproof.

upvoted 0 times

...

Nana

2 months ago

I think option A is the best choice. It ensures that only admins can execute the playbooks.

upvoted 0 times

...

Allene

2 months ago

I bet the admin role has a secret handshake or something. Option C is the way to keep those playbooks on lockdown.

upvoted 0 times

Lelia

13 days ago

Definitely, it's important to have measures in place to control who can run certain playbooks.

upvoted 0 times

...

Luisa

16 days ago

Yeah, adding a filter block for runRole = 'Admin' seems like a secure way to restrict access.

upvoted 0 times

...

Fernanda

23 days ago

I agree, option C sounds like the best way to ensure only admins can execute those playbooks.

upvoted 0 times

...

Ocie

2 months ago

Ah, the admin role strikes again! Option C is definitely the way to go. Can't have the regular folks messing with the important stuff, right?

upvoted 0 times

...

Lisha

2 months ago

Hmm, I'm not sure about option B. Keeping restricted playbooks in a separate repo seems a bit complex. I'd go with C - the filter block is a straightforward solution.

upvoted 0 times