authorize.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
authorize.conf
Use this file to configure roles and granular access controls.
New in version 3.4.8, the 'change_own_password' capability is available to disable password changes per role. The ability to change one's own password is enabled by default.
authorize.conf.spec
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attribute/value pairs for creating roles in authorize.conf.
# You can configure roles and granular access controls by creating your own authorize.conf.
# There is an authorize.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations,
# place an authorize.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
# authorize.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[capability::<capability>]
* Define a capability in Splunk.
* This can also be added dynamically by software registering in the system (see restmap.conf.spec).
* Splunk adds most of its capabilities this way so they are enumerated at the end of the file for reference.
* See below for the default list of capabilities.
[role_<roleName>]
<capability_name> = <enabled|disabled>
* Capability attached to this role.
* You can list many of these.
importRoles = <string>
* Semicolon delimited list of other role capabilities that should be imported.
srchFilter = <string>
* Semicolon delimited list of search filters for this Role.
srchTimeWin = <string>
* Maximum time span of a search.
* In seconds.
# The following is a list of Splunk's capabilities. NOTE: This list is subject to change as
# new capabilities are added and old ones are deprecated. If you encounter problems while
# configuring authorize.conf, please contact support@splunk.com.
[role_Admin]
edit_user = change user information in CLI/UI.
edit_search_server = gives you the ability to write any xml config file in $SPLUNK_HOME/etc.
delete_user = delete users in UI/CLI.
user_tab = access users in Splunk Web.
edit_authen = edit authentication configurations.
delete_authen = delete authentication configurations.
sync_auth = sync your auth system with Splunk's settings.
edit_server_config = edit server configurations.
delete_eventtype_tag = delete eventtype tags.
delete_global_search = delete a saved search.
config_management = manage configurations.
access_datastore = allows access to tagging info and license usage info.
change_authentication = this allows you to save authentication settings.
bounce_authentication = reload authentication in the UI/CLI.
target_processor = save settings to Splunk's internal processors
admin_operator = run the admin operator while searching.
delete_by_keyword = access delete search operator.
allow_shutdown = shutdown Splunk.
write_config_splunkd = narrows write config to splunkd.xml, for server tab in Splunk Web.
server_settings_tab = access server settings tab in Splunk Web.
server_control_tab = access server control tab in Splunk Web.
server_auth_config_tab = access server authentication configurations in Splunk Web.
distributed_all_tab = enables the distributed search tab in Splunk Web.
distributed_receive_tab = enables the distributed search receive tab in Splunk Web.
distributed_forward_tab = enables the distributed search forwarding tab in Splunk Web.
distributed_search_tab = enables the distributed search tab in Splunk Web.
license_tab = access license tab.
search_admin_index = search the admin index or any index prefaced with a _.
edit_alert_action = change alert actions.
edit_applications = access the applications section of Splunk Web Admin page.
edit_audit = change audit settings.
edit_roles = change user mappings to roles.
edit_deployment_server = change deployment server settings.
edit_deployment_class_mapping = edit deployment classes.
edit_deployment_client = change deployment client settings.
edit_event_discoverer = change event discovery settings.
edit_field_actions = change field action settings.
edit_index = change index settings.
edit_input_defaults = change default input settings.
edit_batch = change watch/batch input settings.
edit_fifo = change FIFO settings.
edit_filter = configure filter for fschange monitor.
edit_fschange = change file system monitor settings.
edit_monitor = change monitor input settings.
edit_scripted = change scripted input settings.
edit_splunktcp = set distributed data settings over tcp.
edit_splunktcp_ssl = set tcp ssl settings.
edit_ssl = set ssl settings.
edit_tcp = change tcp input settings.
edit_udp = change udp input settings.
edit_prefs = edit prefs.conf.
edit_props = edit props.conf.
edit_transaction_types = edit transactiontypes.conf
edit_transform = edit transforms.conf.
edit_segmenter = edit segmenters.conf.
edit_server = change server settings in server.conf.
edit_source_classifier = change source classification as sourcetype.
edit_admin_tabs = controls editing admin tabs stanza in web.conf.
edit_web_settings = change the web.conf settings.
edit_forward_server = change settings on the forwarding side.
run_script_crawl = run the crawl script.
run_script_input = run input script.
run_script_idxprobe = run idxprobe script
use_file_operator = use the file operator to search of your file system.
request_auth_token = get auth token for other users.
edit_user_searches = edit any saved search.
rest_apps_management = manage applications via the REST endpoint.
rest_properties_get = read REST services/properties.
rest_properties_set = write REST services/properties.
importRoles = Power;User;Everybody
srchFilter =
[role_Power]
edit_global_save_search = edit a shared saved search.
schedule_search = schedule a search.
delete_global_save_search = delete a shared saved search.
create_alert = schedule an alert for a scheduled search.
start_alert = run alerts for a scheduled search.
start_global_alert = run a shared alert for a scheduled search.
stop_alert = disable an alert.
stop_global_alert = disable a shared alert.
edit_role_search = save a search to a specific role.
allow_livetail = display live tail in the UI.
edit_tags = set tags for events.
run_script_collect = run collect script.
importRoles = User;Everybody
srchFilter =
[role_User]
edit_local_search = change only your own searches.
savesearch_tab = access saved searches via Splunk Web.
get_metadata = access metadata for metadata search processor.
get_typeahead = allow typeahead.
edit_eventtype = configure eventtypes via eventtype.conf.
get_user_prefs = retrieve your own user prefs.
set_user_prefs = write your own prefs.
get_property_map = lets you write to a conf file.
access_datamap = export global data import global data via the CLI.
get_config_by_type = access configurations.
get_config_file = access any configuration file.
search = run a search.
# Script running capabilities
list_inputs = list inputs.
list_saved_searches = list saved searches -- see your own and those shared with your role.
run_web_script_fields = Interactive field extraction script.
run_web_script_surrounding_events = enabled
# These scripts are located in $SPLUNK_HOME/etc/searchscripts/
run_script_createrss = enabled
run_script_diff = enabled
run_script_gentimes = enabled
run_script_head = enabled
run_script_iplocation = enabled
run_script_loglady = enabled
run_script_marklar = enabled
run_script_overlap = enabled
run_script_reportcache = enabled
run_script_runshellscript = enabled
run_script_sendemail = enabled
run_script_transpose = enabled
run_script_uniq = enabled
run_script_windbag = enabled
run_script_mocknodegraph = enabled
run_script_xmlkv = enabled
run_script_xmlunescape = enabled
importRoles = Everybody
srchFilter =
[role_Everybody]
srchFilter =
authorize.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0 # # This is an example authorize.conf. Use this file to configure roles and capabilities. # # To use one or more of these configurations, copy the configuration block into authorize.conf # in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork. [role_Ninja] edit_save_search = enabled schedule_search = enabled edit_eventtype = enabled edit_role_search = enabled edit_local_search = enabled savesearch_tab = enabled edit_tags = enabled importRoles = User;Everybody srchFilter = host=foo # This creates the role Ninja, which inherits capabilities from the default roles User and Everybody. # Ninja has almost the same capabilities as Power, except cannot create alerts (only saved searches). # Also, Ninja is limited to searching on host=foo.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.