Configure roles

Configure roles

Configure flexible roles by editing authorize.conf. Roles are defined by lists of capabilities. You can also use roles to create fine-grained access controls by setting a search filter for each role.

Caution: Do not edit or delete any roles in $SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Default Roles

There are three default roles provided with Splunk:

• User
• Power User
• Admin

The User role is the most limited role and is intended to provide access to search and customization that is unlikely to have high impact on the splunk environment. Users can, by default:

• Run searches and use the normal features of the event investigation and reporting in Splunk Web
• Create saved searches for their own use
• Create event types

The Power User role adds access to resource-intensive abilities and advanced searches to all the capabilities of the User role. Powers users can:

• Do everything that Users can do.
• Create saved searches for use by other users.
• Create and modify tags
• Schedule saved searches, and create and modify alerts on these scheduled saved searches.
• Set up scheduled searches to populate pre-existing summary indexes.
• Use Live Tail

The Admin role is set up to maintain, configure, and administrate the Splunk deployment. The Admin role adds everything else, including:

• General administration: modifying inputs, forwarding, users, authentication methods, index configuration, roles. Generally everything accessible via the Admin page.
• Modification of saved searches owned by other users, including schedules and deleting them.
• Access to the special oldsearch delete command to hide data.
• Access to the special search commands to modify <codesplunkd</code> logging.
• Access to the crawl search feature.
• Access to some debugging features.

Configuration

Add the following attribute/value pairs to $SPLUNK_HOME/etc/system/local/authorize.conf.

[role_$ROLE_NAME]
$CAPABILITY1 = enabled
$CAPABILITY2 = enabled
...
importRoles = $OTHER_ROLE
srchFilter = $SEARCH_STRING

• role_$ROLE_NAME:
  • the name you want to give your role, for example security, compliance, ninja.
• $CAPABILITY1:
  • any capability from the list below. You can have any number of capabilities for a role.
• importRoles = <role>:
  • when set, the current role will inherit all the capabilities from <role>.
• srchFilter = <search>:
  • use this field for fine-grained access controls. Searches for this role will be filtered by this expression.
• srchTimeWin = <string>
  • maximum time span of a search

Valid search strings

The srchFilter field can include any of the following search terms:

• source=
• host= and host tags
• eventtype= and event type tags
• sourcetype=
• search fields
• wildcards
• use OR to use multiple terms, or AND to make searches more restrictive

Note: Members of multiple roles inherit capabilities from the role with the loosest permissions. In the case of search filters, if a user is assigned to roles with different search filters, they are all applied.

The search terms cannot include:

• indexes
• saved searches
• time operators
• regular expressions
• any fields or modifiers Splunk Web can overwrite

Map a role to a user

Once you've created a role in authorize.conf, map it to a user via Splunk Web.

• Click on the admin link in the upper right-hand corner.
• Then, select the Users tab.
• Enter the username, password and full name.
• Choose which role to map to from the Role list.
  • Any custom roles you have created via authorize.conf should be listed here.

Important: If you change (and save) an existing user/group role LDAP mapping from within Splunk Web, all users currently logged in to Splunk Web will be automatically logged out of Splunk Web immediately and must log back in to proceed. This is done to ensure that any users who should no longer have access as a result of the role mapping change are indeed denied access.

Note: You must restart Splunk after making changes to authorize.conf. Otherwise, your new roles will not appear in the Role list.

Prevent persistent changes for dashboard by role

You can prevent persistent dashboard changes on a per-role basis via web.conf.

In $SPLUNK_HOME/etc/system/local/web.conf add the following:

disablePersistedPrefs = <role>

This prevents any changes a role makes from being written to prefs.conf.

Example

The following example creates the role of Ninja. This user can do everything listed as capabilities (eg edit_input). Also, the Ninja role imports the capabilities of the Security and Compliance roles -- meaning Ninja can do everything (and more) that Security and Compliance can do. Additionally, there is a search filter which means that Ninja can only run searches on hosts swan or pearl.

[role_Ninja]
edit_input                = enabled
delete_input              = enabled
edit_global_save_search   = enabled
delete_global_save_search = enabled
create_alert              = enabled
start_alert               = enabled
start_global_alert        = enabled
stop_alert                = enabled
stop_global_alert         = enabled
save_local_eventtype      = enabled
edit_role_search          = enabled
edit_local_search         = enabled
edit_saved_search         = enabled
savesearch_tab            = enabled
allow_livetail            = enabled
importRoles = Security;Compliance
srchFilter = host=swan OR host=pearl

• Was this topic useful?
• Post a comment