Set App permissions
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Set App permissions
Objects in an App have access controls set by role. Use access controls to set which users can read and write to which objects. Currently, object types include:
- saved searches
- event types
- search commands
- views
- pages in Splunk Manager
- dashboards
- view collections
Set permissions in Splunk Manager
You can set permissions on a per-object basis in Splunk Manager. Follow these instructions:
- Navigate to Splunk Manager.
- Click on one of the object pages on the right-hand side. For example Saved searches. You can also pick All configurations if you want to set permissions on all the configurations in a given app.
- Click the permissions link.
- Set permissions to read/write for all the roles listed.
- Click save.
Set permissions in the back-end
Use default.meta to set read and write permissions for all the objects in your App. Follow these instructions:
- Add default.meta to your App's default directory:
$SPLUNK_HOME/etc/apps/<app_name>/metadata/default.meta. - Then, edit this file to set permissions for any object in the App.
- Add an entry for each object, or all objects of a type:
[/<owner>/<App>/<object_type>/<object_name>] access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
- The owner is the user that created the object. For default and global objects, this is often "nobody."
- The App is whatever app directory the object lives in.
- Object type can be one of the above-listed types (saved searches, event types, views, etc).
- The object name is whatever name you gave to your saved search, view, event type, etc.
Set permissions per object
You can set permissions on a per-object basis by explicitly naming the object. For example, this entry gives the admin role read and write permissions for the "Splunk errors in the last 24 hours" saved search:
[/nobody/search/savedsearches/Splunk%20errors%20last%2024%20hours] access = read : [ admin ], write : [ admin ]
Set permissions for all objects of a type
You can also set permissions for all objects of a given type. This entry grants read permissions to everyone and write permissions to admin and power roles for all event types in the App:
[/nobody/search/eventtypes] access = read : [ * ], write : [ admin, power ]
Make objects globally available
By default, objects are only visible within the App they were created in. So if you create an event type in your helloworld App, it will show up within that App. To make an object available to all Apps, add the following line to the object's entry in default.meta:
export = system
For example:
[/nobody/helloworld/eventtypes] access = read : [ * ], write : [ admin, power ] export = system
This will make all event types in helloworld viewable in every App in your Splunk install.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.