Add users and assign roles

Add users and assign roles

This topic describes how to create new users and change the properties (like password) of existing users. This topic also describes how to assign users to roles in Splunk's role-based access control system.

Add and edit users via Splunk Web

• In Splunk Web, click Manager.
• Click Users.
• Click New or edit an existing user.
• Specify new or changed information for this user.
• Assign this user to an existing role or roles and click Save.

When you create a user, Splunk you can create a role for that user as well. You can then edit that role to specify what access that user has to Splunk.

Add and edit users using the CLI

• To add a new administrator user with password changeme2:
  • ./splunk add user admin2 -password changeme2 -role admin -auth admin:changeme
• To change an existing user password to fflanda:
  • ./splunk edit user admin -password fflanda -role admin -auth admin:changeme

Add and edit roles using Splunk Web

• In Splunk Web, click Manager.
• Click Roles.
• Click New or edit an existing role.
• Specify new or changed information for this role. In particular, you can
  • restrict what data this role can search with a search filter (see "Search filter format" below for more information)
  • restrict over how large of a window of time this role can search
  • specify whether this role inherits capabilities from any other roles
  • choose individual capabilities for this role
  • specify an index or indexes that this role will search by default
  • specify whether this role is restricted to a specific index or indexes.
• Click Save.

Note: Members of multiple roles inherit capabilities from the role with the loosest permissions.

Add and edit roles using authorize.conf

Configure roles by editing authorize.conf. Roles are defined by lists of capabilities. You can also use roles to create fine-grained access controls by setting a search filter for each role.

Caution: Do not edit or delete any roles in $SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see About configuration files.

Add the following attribute/value pairs to $SPLUNK_HOME/etc/system/local/authorize.conf.

[role_$ROLE_NAME]
$CAPABILITY1 = enabled
$CAPABILITY2 = enabled
...
importRoles = $OTHER_ROLE
srchFilter = $SEARCH_STRING

• role_$ROLE_NAME:
  • the name you want to give your role, for example security, compliance, ninja. Make sure the name is lowercase.
• $CAPABILITY1:
  • any capability from the list below. You can have any number of capabilities for a role.
• importRoles = <role>;<role>;...:
  • when set, the current role will inherit all the capabilities from <role>.
  • if multiple roles, separate them with semicolons
• srchFilter = <search>:
  • use this field for fine-grained access controls. Searches for this role will be filtered by this expression.
• srchTimeWin = <string>
  • maximum time span (in seconds) of a search executed by this role.
• srchDiskQuota = <int>
  • Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role
• srchJobsQuota = <int>
  • Maximum number of concurrently running searches a member of this role can have
• srchIndexesDefault = <string>
  • Semicolon delimited list of indexes to search when no index is specified
  • These indexes can be wildcarded, with the exception that '*' does not match internal indexes
  • To match internal indexes, start with '_'. All internal indexes are represented by '_*'
• srchIndexesAllowed = <string>
  • Semicolon delimited list of indexes this role is allowed to search
  • Follows the same wildcarding semantics as srchIndexesDefault

Note: You must reload authentication or restart Splunk after making changes to authorize.conf. Otherwise, your new roles will not appear in the Role list. To reload authentication, go to the Manager > Authentication section of Splunk Web. This refreshes the authentication caches, but does not boot current users.

Search filter format

The srchFilter/Search filter field can include any of the following search terms:

• source=
• host= and host tags
• index= and index names
• eventtype= and event type tags
• sourcetype=
• search fields
• wildcards
• use OR to use multiple terms, or AND to make searches more restrictive

Note: Members of multiple roles inherit capabilities from the role with the loosest permissions. In the case of search filters, if a user is assigned to roles with different search filters, they are all combined via OR.

The search terms cannot include:

• saved searches
• time operators
• regular expressions
• any fields or modifiers Splunk Web can overwrite

Map a user to a role via Splunk Web

Once you've created a role in authorize.conf, map a user or users to it via Splunk Web.

• Click on the Manager link in the upper right-hand corner.
• Then, click the Users link.
• Edit an existing user or create a new one.
• Choose which role to map to from the Role list.
  • Any custom roles you have created via authorize.conf will be listed here.

Example of creating a role in authorize.conf

This example creates the role ninja, which inherits capabilities from the default roles user and everybody. The ninja role has almost the same capabilities as power, except it cannot create alerts (only saved searches). Also, ninja is limited to searching on host=fflanda.

[role_Ninja]
edit_save_search  		= enabled
schedule_search          	= enabled
edit_eventtype      		= enabled
edit_role_search        	= enabled
edit_local_search         	= enabled
savesearch_tab            	= enabled
edit_tags                 	= enabled
importRoles = user;everybody
srchFilter = host=fflanda

List of available capabilities

This list shows capabilities available for roles. Check authorize.conf for the most up-to-date version of this list. The admin role has all the capabilities in this list.

[role_Admin] 
edit_user               = change user information in CLI/UI.
edit_search_server      = gives you the ability to write any xml config file in $SPLUNK_HOME/etc.
delete_user             = delete users in UI/CLI.
change_authentication   = this allows you to save authentication settings.
bounce_authentication   = reload authentication in the UI/CLI.
delete_by_keyword       = access delete search operator.
license_tab             = access license tab.
edit_alert_action       = change alert actions.
edit_roles              = change user mappings to roles.
edit_deployment_server  = change deployment server settings.
edit_deployment_client  = change deployment client settings.
indexes_edit            = change index settings.
edit_input_defaults     = change default input settings. 
edit_monitor            = change monitor input settings.
edit_scripted           = change scripted input settings.
edit_splunktcp          = set distributed data settings over tcp.
edit_splunktcp_ssl      = set tcp ssl settings.
edit_tcp                = change tcp input settings.
edit_udp                = change udp input settings.
edit_server             = change server settings in server.conf. 
edit_web_settings       = change the web.conf settings. 
edit_forwarders         = change settings on the forwarding side. 
use_file_operator       = use the file operator to search of your file system.
request_auth_token      = get auth token for other users.
rest_apps_management    = manage applications via the REST endpoint.
rest_properties_get     = read REST services/properties.
rest_properties_set     = write REST services/properties.
admin_all_objects       = ability to administer all objects in the system (user objects, search jobs etc..)
importRoles             = other roles from which this role imports capabilities 
                          (the admin user imports from the Power and User roles).
srchFilter              = restrictions on what Splunk objects this role can see or manipulate 
                          (the admin user has no restrictions).

• Was this topic useful?
• Post a comment