Step 5: Set permissions
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Step 5: Set permissions
Every app and object within the app is governed by a set of permissions. Splunk's permissions work much like the *nix filesystem permissions: objects and apps can be set to read only or read and write for every role within Splunk. Use permissions to govern what users can see and interact with. For example, you can create a business stats view that is only available to your executive team and a set of views reporting application errors that are only available to your application development team. You can also specify which apps can be accessed by different teams in your organization. For example, you may have a business analytics app that is the only thing your executive team can see when they log into Splunk. Furthermore, since you can set read and write permissions, you can enable certain users to create new objects, or edit existing objects within an app while other users can only create new objects or edit objects within their user directory.
Every user has their own user directory, so if they create a saved search, for example, it lives in their user directory. Users can promote objects from their users level to the app level -- but only if they have write permissions on the app. When a user shares an object by promoting it, Splunk actually moves the object on the filesystem from the user directory to the app directory. For example, if a member of the Ops team creates a saved search, it lives in their user directory unless they specifically share it with a given app. Then, it is available to all users who have read access within that app.
You can set permissions through Splunk Manager or through the file system. Splunk recommends that you use Splunk Manager first, but if you need to make some tweaks, this page explains how to edit the metadata file in your app.
If you'd like to know more about users and roles, refer to About users and roles in the Admin manual.
Set permissions in Splunk Manager
You can set permissions on a per-object and per-app basis in Splunk Manager. Follow these instructions:
- Navigate to Splunk Manager.
- In the Knowledge panel, select a category containing the object you want to edit permissions for. For example, to change permissions on a saved search, click Searches and reports. You can also select All configurations to access all the configurations in a given app.
- Once you've found the object you want to set permissions for, click the permissions link next to the object.
- Set permissions to read and/or write for all the roles listed.
- Click Save.
Set permissions in the filesystem
default.meta to set read and write permissions for all the objects in your app. Follow these instructions:
- Add default.meta to your app's default directory:
- Then, edit this file to set permissions for any object in the app.
- Add an entry for each object, or all objects of a type:
[<object_type>/<object_name>] access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
- Object type can be any of the objects listed in step 4: add objects, including saved searches, event types, views, and apps.
- The object name is whatever name you gave to your saved search, view, event type, or other object. If you don't specify an object name, then permissions apply to all objects of that type.
Set permissions per object
You can set permissions on a per-object basis by explicitly naming the object. For example, in
default.meta, this entry gives the admin role read and write permissions for the "Splunk errors in the last 24 hours" saved search:
[savedsearches/Splunk%20errors%20last%2024%20hours] access = read : [ admin ], write : [ admin ]
Set permissions for all objects of a type
You can set permissions for all objects of a given type. In
default.meta, this entry grants read permissions to everyone and write permissions to admin and power roles for all event types in the app:
[eventtypes] access = read : [ * ], write : [ admin, power ]
Make objects globally available
By default, objects are only visible within the app in which they were created. So if you create an event type in your business analytics app, it is available only within that app. To make an object available to all apps, add the following line to the object's entry in
export = system
For example, add the following entry to:
[eventtypes] access = read : [ * ], write : [ admin, power ] export = system
This makes all event types in your business analytics app viewable in every app in your Splunk installation.