access_controls.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
access_controls.conf
access_controls.conf allows you configure granular access controls so that users in different roles can see only a subset of the data in your Splunk index.
access_controls.conf.spec
#
# This file contains possible attribute/value pairs for access_controls.conf.
#
# There is an access_controls.conf in the default bundle. To set custom configurations, place an
# access_controls.conf in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.
#
# Roles can contain a search string but not a search that pipes to
# other operators (where, regex, etc.).
#
# This means that if you need field-based roles, the fields must be search fields (extracted at
# indexing time).
#
# It is wise to keep the role searches as simple as possible for
# performance reasons.
#
# Currently, you cannot specify a role that uses indexes, savedsearches, sourcetypes,
# time operators or regular expressions.
#
# If tags are used for roles you should be aware that there may be negative
# performance implications as tag searches are slower than other searches.
#
# Host and source are recommended fields for roles.
#
[roles]
rolename1 = <string>
rolename2 = <string>
...
* Enter a search string to restrict access.
[groups]
groupname1 = <string>
groupname2 = <string>
...
* A group name to space separated list of roles for that group.
* For example, you can map "foogroup" to "roleA roleB" etc.
[users]
username1 = <string>
username2 = <string>
...
* A username to space separated list of groups for a user.
* For example, you can map users defined in Splunk to "foogroup."
access_controls.conf.example
# This is an example access_controls.conf. # # Roles can contain a search string but not a search that pipes to # other commands (where, regex, etc.). # # This means that if you need field-based roles, the fields must be search fields (extracted at # indexing time). # # It is wise to keep the role searches as simple as possible for # performance reasons. # # Currently, you cannot specify a role that uses indexes, savedsearches, sourcetypes, # time operators or regular expressions. # # If tags are used for roles you should be aware that there may be negative # performance implications as tag searches are slower than other searches. # # Host and source are recommended fields for roles. [roles] roleA = host::www roleB = source::splunk* roleC = host::localhost roleD = NOT host::finance [groups] group1 = roleA roleB group2 = roleC group3 = roleD [users] admin = group1 group2 localhost_user = group2 all_but_finance_user = group3 # The user localhost_user can see events from only from host::localhost. # The user all_but_finance_user can see events from all hosts except a # host named finance. # The user admin can just see events from host::www or from source::splunk*. # Events from source::splunk* that DO NOT have host::www will be # accessible but events from other sources with other hosts will not. Events # from host::www will be accessible even if they are not from source::splunk*.
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.