Add and edit roles
Add and edit roles using Splunk Web
In Splunk Web:
1. Click Manager.
2. Click Access controls.
3. Click Roles.
4. Click New or edit an existing role.
5. Specify new or changed information for this role. In particular, you can:
- restrict what data this role can search with a search filter. See "Search file format" below.
- restrict over how large of a window of time this role can search.
- specify whether this role inherits capabilities and properties from any other roles.
- choose individual capabilities for this role.
- specify an index or indexes that this role will search by default.
- specify whether this role is restricted to a specific index or indexes.
6. Click Save.
Configure roles by editing authorize.conf. Roles are defined by lists of capabilities. You can also use roles to create fine-grained access controls by setting a search filter for each role.
Caution: Do not edit or delete any roles in
$SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Edit this file in
$SPLUNK_HOME/etc/system/local/, or your own custom application directory in
$SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see About configuration files.
Here's the syntax for adding roles through
[role_<roleName>] <attribute> = <value> <attribute> = <value> ...
<roleName> in the stanza header is the name you want to give your role. For example:
The role name must be lowercase. For example: "role_security"
You can include these attributes in the role stanza:
<capability> = enabled
- This can be any capability from the list in "List of available capabilities". You can have add any number of capabilities to a role.
- Capabilities are disabled by default. To add a capability to a role, just set it to "enabled".
importRoles = <role>;<role>;...
- When set, the current role will inherit all the capabilities from
- Separate multiple roles, if any, with semicolons.
- When set, the current role will inherit all the capabilities from
srchFilter = <search_string>
- Use this field for fine-grained access controls. Searches for this role will be filtered by this expression.
- See the next section for information on how to format the search filter.
srchTimeWin = <string>
- Maximum time span (in seconds) of a search executed by this role.
srchDiskQuota = <int>
- Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role.
srchJobsQuota = <int>
- Maximum number of concurrently running searches a member of this role can have.
rtSrchJobsQuota = <number>
- Maximum number of concurrently running real-time searches a member of this role can have.
srchIndexesDefault = <string>
- Semicolon delimited list of indexes to search when no index is specified.
- These indexes can be wildcarded, with the exception that '*' does not match internal indexes.
- To match internal indexes, start with '_'. All internal indexes are represented by '_*'.
srchIndexesAllowed = <string>
- Semicolon delimited list of indexes this role is allowed to search.
- Follows the same wildcarding semantics as
Note: You must reload authentication or restart Splunk after making changes to
authorize.conf. Otherwise, your new roles will not appear in the Role list. To reload authentication, go to the Manager > Authentication section of Splunk Web. This refreshes the authentication caches, but does not boot current users.
Search filter format
srchFilter/Search filter field can include any of the following search terms:
host=and host tags
index=and index names
eventtype=and event type tags
- search fields
ORto use multiple terms, or
ANDto make searches more restrictive
Note: Members of multiple roles inherit properties from the role with the broadest permissions. In the case of search filters, if a user is assigned to roles with different search filters, they are all combined via OR. For example, by default, the Power and User roles do not have a search term filter restriction defined (this field is blank) and they do not restrict search results by default. If a user has a combination of the Power or User role and another role that does have restricted search terms defined (for example, srchFilter=x), the open search associated with the default Power (or User) role will no longer apply (and that user role will have the restriction of srchFilter=x). If you want to maintain the default of no search filter for the Power (or User) role, you must explicitly add the srchFilter=* to the role.
The search terms cannot include:
- saved searches
- time operators
- regular expressions
- any fields or modifiers Splunk Web can overwrite
This example creates the role "ninja", which inherits capabilities from the default "user" role. ninja has almost the same capabilities as the default "power" role, except it cannot schedule searches. In addition:
- The search filter limits ninja to searching on
- ninja is allowed to search all public indexes (those that do not start with underscore) and will search the indexes
mainif no index is specified in the search.
- ninja is allowed to run 8 search jobs and 8 real-time search jobs concurrently. (These counts are independent.)
- ninja is allowed to occupy up to 500MB total space on disk for all its jobs.
[role_ninja] rtsearch = enabled importRoles = user srchFilter = host=foo srchIndexesAllowed = * srchIndexesDefault = mail;main srchJobsQuota = 8 rtSrchJobsQuota = 8 srchDiskQuota = 500
List of available capabilities
This list shows capabilities available for roles. Check authorize.conf for the most up-to-date version of this list. The admin role has all the capabilities in this list except for the "delete_by_keyword" capability.
||Has access to objects in the system (user objects, search jobs, etc.).|
||Can change authentication settings and reload authentication.|
||Can change own user password.|
||Can use the "delete" search operator.|
||Can change deployment client settings.|
||Can change deployment server settings.|
||Can add and edit peers for distributed search.|
||Can change forwarder settings.|
||Can edit and end user sessions.|
||Can change default hostnames for input data.|
||Can add inputs and edit settings for monitoring files.|
||Can edit roles and change user/role mappings.|
||Can create and edit scripted inputs.|
||Can edit general distributed search settings like timeouts, heartbeats, and blacklists.|
||Can edit general server settings like server name, log levels, etc.|
||Can change settings for receiving TCP inputs from another Splunk instance.|
||Can list or edit any SSL-specific settings for Splunk TCP input.|
||Can change settings for receiving general TCP inputs.|
||Can change settings for UDP inputs.|
||Can create, edit, or remove users.|
||Can change settings for web.conf.|
||Enables the "metadata" search processor.|
||Can change index settings like file size and memory limits.|
||Can access and change the license.|
||Can show forwarder settings.|
||Can list user sessions.|
||Can list various inputs, including input from files, TCP, UDP, scripts, etc.|
||Can get a remote authentication token.|
||Can edit settings in the python remote apps handler.|
||Can list properties in the python remote apps handler.|
||Can get information from the services/properties endpoint.|
||Can edit the services/properties endpoint.|
||Can restart Splunk through the server control handler.|
||Can run real-time searches.|
||Can schedule saved searches.|
||Can run searches.|
||Can use the "file" search operator.|
Configure user session timeouts
Setting access to manager consoles and apps
This documentation applies to the following versions of Splunk® Enterprise: