authorize.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
authorize.conf
authorize.conf.spec
# This file contains possible attribute/value pairs for creating roles in authorize.conf. # You can configure roles and granular access controls by creating your own authorize.conf. # There is an authorize.conf in $SPLUNK_HOME/etc/bundles/default/. To set custom configurations, # place an authorize.conf in your own custom bundle directory. # # For help creating a bundle directory, or to learn more about bundles (including bundle precedence) # please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig. [capability::<capability>] * Define a capability in Splunk. * This can also be added dynamically by software registering in the system (see restmap.conf.spec). * Splunk adds most of its capabilities this way so they are enumerated at the end of the file for reference. * See below for the default list of capabilities. [role_<roleName>] <capability_name> = <enabled|disabled> * Capability attached to this role. * You can list many of these. importRoles = <string> * Semicolon delimited list of other role capabilities that should be imported. srchFilter = <string> * Semicolon delimited list of search filters for this Role. # The following is a list of Splunk's capabilities. NOTE: This list is subject to change as # new capabilities are added and old ones are deprecated. If you encounter problems while # configuring authorize.conf, please contact support@splunk.com. access_datamap access_datastore admin_operator allow_livetail allow_shutdown bounce_authentication change_authentication config_management delete_by_keyword delete_user distributed_all_tab distributed_forward_tab distributed_receive_tab distributed_search_tab edit_admin_tabs edit_alert_action edit_audit edit_deployment_class_mapping edit_deployment_client edit_deployment_server edit_eventtype edit_event_discoverer edit_exec edit_field_actions edit_fifo edit_filter edit_forward_server edit_fschange edit_index edit_input_defaults edit_local_search edit_metaevents edit_prefs edit_props edit_roles edit_role_search edit_saved_search edit_search_server edit_segmenter edit_server edit_server_config edit_source_classifier edit_splunktcp edit_splunktcp_ssl edit_ssl edit_tags edit_tail edit_tcp edit_transform edit_udp edit_user edit_watch edit_web_settings get_config_by_type get_config_file get_property_map get_user_prefs kick kickProcessor license_tab list_inputs list_saved_searches request_auth_token run_script_createrss run_script_diff run_script_gentimes run_script_head run_script_idxprobe run_script_iplocation run_script_loglady run_script_marklar run_script_reportcache run_script_runshellscript run_script_sendemail run_script_transpose run_script_uniq run_script_windbag run_script_xmlkv run_script_xmlunescape savesearch_tab save_user_prefs schedule_search search search_admin_index server_auth_config_tab server_control_tab server_settings_tab set_user_prefs sync_auth target_processor user_tab use_file_operator write_config_splunkd
authorize.conf.example
# This is an example authorize.conf. Use this file to configure roles and capabilities. # # There is a default authorize.conf in $SPLUNK_HOME/etc/bundles/default/. Use this example file to # create your own custom authorize.conf. # # To set custom configurations, place an authorize.conf in your own custom bundle directory. [role_Ninja] edit_save_search = enabled schedule_search = enabled edit_eventtype = enabled edit_role_search = enabled edit_local_search = enabled savesearch_tab = enabled edit_tags = enabled importRoles = User;Everybody srchFilter = host=foo # This creates the role Ninja, which inherits capabilities from the default roles User and Everybody. # Ninja has almost the same capabilities as Power, except cannot create alerts (only saved searches). # Also, Ninja is limited to searching on host=foo.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 View the Article History for its revisions.