Set up user authentication with Splunk's built-in system
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Set up user authentication with Splunk's built-in system
Splunk ships with support for three types of authentication systems:
- Splunk's own built-in system, described in the topic you're now reading.
- LDAP, described in Set up user authentication with LDAP.
- A scripted authentication API for use with an external authentication system, such as PAM or RADIUS, described in Configure Splunk to use scripted authentication.
Important: Splunk's built-in system always takes precedence over any external systems. This is the order in which Splunk authenticates a user:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)
This topic describes how to create new users and change the properties (like password) of existing users using Splunk's built-in authentication system.
This topic also describes how to assign users to roles in Splunk's role-based access control system. Even if you're using LDAP or scripted authentication to authenticate users, you still need to follow the instructions in this topic on assigning roles to users.
Note: Role names must use lowercase characters. For example: "admin", not "Admin". User names, however, are entirely case-insensitive: "Jacque", "jacque", "JacQue" are all the same to Splunk.
Add and edit users
You can use Splunk Web or the CLI to add and edit users and assign them roles.
Note: Members of multiple roles inherit capabilities and properties from the role with the broadest permissions. In the case of search filters, if a user is assigned to roles with different search filters, they are all combined via OR.
Use Splunk Web
In Splunk Web:
1. Click Manager.
2. Click Access controls.
3. Click Users.
4. Click New or select an existing user to edit that user.
5. Specify or change the information for the user. You can specify the user's:
- full name.
- email address.
- time zone. This allows users to view events and other information in their own time zone.
- default app. This overrides the default app inherited from the user's role.
- password.
6. Assign the user to an existing role or roles and click Save.
You can also create a role specifically for a user, defining exactly what access that user has to Splunk. You can then assign the user to that role. For information on roles, read "Add and edit roles".
Use the CLI
In the CLI, use the add user command. Here are some examples:
- To add a new administrator user with the password "changeme2":
./splunk add user admin2 -password changeme2 -role admin -auth admin:changeme
- To change an existing user's password to "fflanda":
./splunk edit user admin -password fflanda -role admin -auth admin:changeme
Note: Passwords with special characters that would be interpreted by the shell (for example '$' or '!') must be either escaped or single-quoted. For example:
./splunk edit user admin -password 'fflanda$' -role admin -auth admin:changeme
or
./splunk edit user admin -password fflanda\$ -role admin -auth admin:changeme
Map a user to a role via Splunk Web
Once you've created a role in authorize.conf, map a user or users to it via Splunk Web:
1. Click on the Manager link in the upper right-hand corner.
2. Click the Users link.
3. Edit an existing user or create a new one.
4. Choose which role to map to from the Role list.
- Any custom roles you have created in
authorize.confwill be listed here.
This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.
The Notes regarding special characters within passwords doesn't seem to apply to Windows 2008 R2 servers. Single quotes where taken as part of the password.