This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
The following are the spec and example files for authorize.conf.
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.1.5 # # This file contains possible attribute/value pairs for creating roles in authorize.conf. # You can configure roles and granular access controls by creating your own authorize.conf. # There is an authorize.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations, # place an authorize.conf in $SPLUNK_HOME/etc/system/local/. For examples, see # authorize.conf.example. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles [capability::<capability>] * Defines a Splunk system capability * Splunk adds all of its capabilities this way * For the default list of capabilities and assignments, see authorize.conf under the 'default' directory * Descriptions of specific capabilities are listed below [role_<roleName>] <capability> = <enabled> * A capability that is enabled for this role * You can list many of these. * Note that 'enabled' is the only accepted value here, as capabilities are disabled by default * Roles inherit all capabilities from imported roles, and inherited capabilities cannot be disabled * Role names cannot have uppercase characters. User names, however, are case-insensitive. importRoles = <string> * Semicolon delimited list of other role capabilities that should be imported. * Importing other roles also imports the other aspects of that role, such as allowed indexes to search. srchFilter = <string> * Semicolon delimited list of search filters for this Role. srchTimeWin = <number> * Maximum time span of a search, in seconds. srchDiskQuota = <number> * Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role srchJobsQuota = <number> * Maximum number of concurrently running historical searches a member of this role can have (excludes real-time searches, see rtSrchJobsQuota) rtSrchJobsQuota = <number> * Maximum number of concurrently running real-time searches a member of this role can have srchIndexesDefault = <string> * Semicolon delimited list of indexes to search when no index is specified * These indexes can be wildcarded, with the exception that '*' does not match internal indexes * To match internal indexes, start with '_'. All internal indexes are represented by '_*' srchIndexesAllowed = <string> * Semicolon delimited list of indexes this role is allowed to search * Follows the same wildcarding semantics as srchIndexesDefault ### Descriptions of Splunk system capabilities [capability::admin_all_objects] * A role with this capability has access to objects in the system (user objects, search jobs, etc.) * This bypasses any ACL restrictions (similar to root access in a *nix environment) * We check this capability when accessing manager pages and objects [capability::change_authentication] * Required to change authentication settings through the various authentication endpoints. * Also controls whether authentication can be reloaded [capability::change_own_password] * Self explanatory. Some auth systems prefer to have passwords be immutable for some users. [capability::delete_by_keyword] * Required to use the 'delete' search operator. Note that this does not actually delete the raw data on disk. * Delete merely masks the data (via the index) from showing up in search results. [capability::edit_deployment_client] * Self explanatory. The deployment client admin endpoint requires this cap for edit. [capability::edit_deployment_server] * Self explanatory. The deployment server admin endpoint requires this cap for edit. [capability::edit_dist_peer] * Required to add and edit peers for distributed search. [capability::edit_forwarders] * Required to edit settings for forwarding data. * Used by TCP and Syslog output admin handlers * Includes settings for SSL, backoff schemes, etc. [capability::edit_httpauths] * Required to edit and end user sessions through the httpauth-tokens endpoint [capability::edit_input_defaults] * Required to change the default hostname for input data in the server settings endpoint. [capability::edit_monitor] * Required to add inputs and edit settings for monitoring files. * Used by the standard inputs endpoint as well as the one-shot input endpoint. [capability::edit_roles] * Required to edit roles as well as change the mappings from users to roles. * Used by both the users and roles endpoint. [capability::edit_scripted] * Required to create and edit scripted inputs. [capability::edit_search_server] * Required to edit general distributed search settings like timeouts, heartbeats, and blacklists [capability::edit_server] * Required to edit general server settings such as the server name, log levels, etc. [capability::edit_splunktcp] * Required to change settings for receiving TCP input from another Splunk instance. [capability::edit_splunktcp_ssl] * Required to list or edit any SSL specific settings for Splunk TCP input. [capability::edit_tcp] * Required to change settings for receiving general TCP inputs. [capability::edit_udp] * Required to change settings for UDP inputs. [capability::edit_user] * Required to create, edit, or remove users. * Note that Splunk users may edit certain aspects of their information without this capability. * Also required to manage certificates for distributed search. [capability::edit_web_settings] * Required to change the settings for web.conf through the system settings endpoint. [capability::get_metadata] * Required to use the 'metadata' search processor. [capability::get_typeahead] * Required for typeahead. This includes the typeahead endpoint and the 'typeahead' search processor. [capability::indexes_edit] * Required to change any index settings like file size and memory limits. [capability::license_tab] * Required to access and change the license. [capability::list_forwarders] * Required to show settings for forwarding data. * Used by TCP and Syslog output admin handlers. [capability::list_httpauths] * Required to list user sessions through the httpauth-tokens endpoint. [capability::list_inputs] * Required to view the list of various inputs. * This includes input from files, TCP, UDP, Scripts, etc. [capability::request_remote_tok] * Required to get a remote authentication token. * Used for distributing search to old 4.0.x Splunk instances. * Also used for some distributed peer management and bundle replication. [capability::rest_apps_management] * Required to edit settings for entries and categories in the python remote apps handler. * See restmap.conf for more information [capability::rest_apps_view] * Required to list various properties in the python remote apps handler. * See restmap.conf for more info [capability::rest_properties_get] * Required to get information from the services/properties endpoint. [capability::rest_properties_set] * Required to edit the services/properties endpoint. [capability::restart_splunkd] * Required to restart Splunk through the server control handler. [capability::rtsearch] * Required to run a realtime search. [capability::schedule_search] * Required to schedule saved searches. [capability::search] * Self explanatory - required to run a search. [capability::use_file_operator] * Required to use the 'file' search operator.
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.1.5 # # This is an example authorize.conf. Use this file to configure roles and capabilities. # # To use one or more of these configurations, copy the configuration block into authorize.conf # in $SPLUNK_HOME/etc/system/local/. You must reload auth or restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles [role_ninja] rtsearch = enabled importRoles = user srchFilter = host=foo srchIndexesAllowed = * srchIndexesDefault = mail;main srchJobsQuota = 8 rtSrchJobsQuota = 8 srchDiskQuota = 500 # This creates the role 'ninja', which inherits capabilities from the 'user' role. # ninja has almost the same capabilities as power, except cannot schedule searches. # The search filter limits ninja to searching on host=foo. # ninja is allowed to search all public indexes (those that do not start with underscore), and will # search the indexes mail and main if no index is specified in the search. # ninja is allowed to run 8 search jobs and 8 real time search jobs concurrently (these counts are independent). # ninja is allowed to take up 500 megabytes total on disk for all their jobs.