authorize.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
authorize.conf
The following are the spec and example files for authorize.conf.
authorize.conf.spec
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.0 # # This file contains possible attribute/value pairs for creating roles in authorize.conf. # You can configure roles and granular access controls by creating your own authorize.conf. # There is an authorize.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations, # place an authorize.conf in $SPLUNK_HOME/etc/system/local/. For examples, see # authorize.conf.example. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles [capability::<capability>] * Define a capability in Splunk. * This can also be added dynamically by software registering in the system (see restmap.conf.spec). * Splunk adds most of its capabilities this way so they are enumerated at the end of the file for reference. * See below for the default list of capabilities. [role_<roleName>] <capability_name> = <enabled|disabled> * Capability attached to this role. * You can list many of these. importRoles = <string> * Semicolon delimited list of other role capabilities that should be imported. * Importing other roles also imports the other aspects of that role, such as allowed indexes to search. srchFilter = <string> * Semicolon delimited list of search filters for this Role. srchTimeWin = <string> * Maximum time span of a search. srchDiskQuota = <int> * Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role srchJobsQuota = <int> * Maximum number of concurrently running searches a member of this role can have srchIndexesDefault = <string> * Semicolon delimited list of indexes to search when no index is specified * These indexes can be wildcarded, with the exception that '*' does not match internal indexes * To match internal indexes, start with '_'. All internal indexes are represented by '_*' srchIndexesAllowed = <string> * Semicolon delimited list of indexes this role is allowed to search * Follows the same wildcarding semantics as srchIndexesDefault # The following is a list of Splunk's capabilities. NOTE: This list is subject to change as # new capabilities are added and old ones are deprecated. If you encounter problems while # configuring authorize.conf, please contact support at http://www.splunk.com/page/submit_issue. [role_admin] edit_user = change user information in CLI/UI. edit_search_server = gives you the ability to write any xml config file in $SPLUNK_HOME/etc. change_authentication = this allows you to save authentication settings. bounce_authentication = reload authentication in the UI/CLI. delete_by_keyword = access delete search operator. license_tab = access license tab. edit_alert_action = change alert actions. edit_roles = change user mappings to roles. edit_deployment_server = change deployment server settings. edit_deployment_client = change deployment client settings. indexes_edit = change index settings. edit_input_defaults = change default input settings. edit_monitor = change monitor input settings. edit_scripted = change scripted input settings. edit_splunktcp = set distributed data settings over tcp. edit_splunktcp_ssl = set tcp ssl settings. edit_tcp = change tcp input settings. edit_udp = change udp input settings. edit_server = change server settings in server.conf. edit_web_settings = change the web.conf settings. edit_forwarders = change settings on the forwarding side. use_file_operator = use the file operator to search of your file system. request_auth_token = get auth token for other users. rest_apps_management = manage applications via the REST endpoint. rest_properties_get = read REST services/properties. rest_properties_set = write REST services/properties. admin_all_objects = ability to administer all objects in the system (user objects, search jobs etc..) importRoles = power;user srchFilter = [role_power] schedule_search = schedule a search. allow_livetail = display live tail in the UI. edit_tags = set tags for events. importRoles = user srchFilter = [role_user] get_metadata = access metadata for metadata search processor. get_typeahead = allow typeahead. search = run a search. # Script running capabilities list_inputs = list inputs. importRoles = srchFilter =
authorize.conf.example
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.0 # # This is an example authorize.conf. Use this file to configure roles and capabilities. # # To use one or more of these configurations, copy the configuration block into authorize.conf # in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles [role_ninja] edit_save_search = enabled schedule_search = enabled edit_eventtype = enabled edit_role_search = enabled edit_local_search = enabled savesearch_tab = enabled edit_tags = enabled importRoles = user;everybody srchFilter = host=foo srchIndexesDefault = mail;main srchIndexesAllowed = * # This creates the role Ninja, which inherits capabilities from the default roles User and Everybody. # Ninja has almost the same capabilities as Power, except cannot create alerts (only saved searches). # Also, Ninja is limited to searching on host=foo. # Ninja is allowed to search all public indexes (those that do not start with underscore), and will # search the indexes mail and main if no index is specified in the search.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.