Configure roles
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Configure roles
Configure flexible roles by editing authorize.conf. Roles are defined by lists of capabilities. You can also use roles to create granular access controls by setting a search filter for each role.
Caution: Do not edit or delete any roles in $SPLUNK_HOME/etc/bundles/default/authorize.conf. This could break your admin capabilities. Make all changes in $SPLUNK_HOME/etc/bundles/local/authorize.conf. For more information, read about how configuration files work.
Configuration
Add the following attribute/value pairs to $SPLUNK_HOME/etc/bundles/local/authorize.conf.
[role_$ROLE_NAME] $CAPABILITY1 = enabled $CAPABILITY2 = enabled ... importRoles = $OTHER_ROLE srchFilter = $SEARCH_STRING
-
role_$ROLE_NAME:- the name you want to give your role, for example
security,compliance,ninja.
- the name you want to give your role, for example
-
$CAPABILITY1:- any capability from the list below. You can have any number of capabilities for a role.
-
importRoles = $OTHER_ROLE:- when set, the current role will inherit all the capabilities from
$OTHER_ROLE.
- when set, the current role will inherit all the capabilities from
-
srchFilter = $SEARCH_STRING:- use this field for granular access controls. Set a search string to filter on.
- when a user is assigned to multiple roles where a srchFilter restriction is set for one but not the other role, you'll need to explicitly set the srchFilter for the other role in order to keep it from being restricted by the other role. For example, for a user who is assigned to both Admin and User roles, by setting the Admin srchFIlter = *, you prevent the user from being restricted to only searching on source=/test
[role_Admin] srchFilter = * [role_User] srchFilter = source::/test
valid search strings
The srchFilter field can include any of the following search terms:
- source::
- host:: and host tags
- eventtype:: and event type tags
- search fields
- wildcards
The search terms cannot include:
- indexes
- source types
- saved searches
- time operators
- regular expressions
- any fields or modifiers Splunk Web can overwrite
map a role to a user
Once you've created a role in authorize.conf, map it to a user via Splunk Web.
- Click on the admin link in the upper right-hand corner.
- Then, select the Users tab.
- Enter the username, password and full name.
- Choose which role to map to from the Role list.
- Any custom roles you have created via
authorize.confshould be listed here.
- Any custom roles you have created via
Note: You must restart Splunk after making changes to authorize.conf. Otherwise, your new roles will not appear in the Role list.
Example
The following example creates the role of Ninja. This user can do everything listed as capabilities (eg edit_input). Also, the Ninja role imports the capabilities of the Security and Compliance roles -- meaning Ninja can do everything (and more) that Security and Compliance can do. Additionally, there is a search filter which means that Ninja can only run searches on hosts swan or pearl.
[role_Ninja] edit_input = enabled delete_input = enabled edit_global_save_search = enabled delete_global_save_search = enabled create_alert = enabled start_alert = enabled start_global_alert = enabled stop_alert = enabled stop_global_alert = enabled save_local_eventtype = enabled edit_role_search = enabled edit_local_search = enabled edit_saved_search = enabled savesearch_tab = enabled allow_livetail = enabled importRoles = Security;Compliance srchFilter = host=swan OR host=pearl
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.