About users and roles
About users and roles
If you're running Splunk Enterprise, you can create users with passwords and assign them to roles you have created. Splunk Free does not support user authentication.
Splunk comes with a single default user, the admin user. The default password for the admin user is changeme. As the password implies, you should change this password immediately upon installing Splunk.
Splunk ships with support for three types of authentication systems, which are described in the Security Manual:
- Splunk's own built-in system. See "About user authentication with Splunk's built-in system" for more information.
- LDAP. Splunk supports authentication with its internal authentication services or your existing LDAP server. See "Set up user authentication with LDAP" for more information.
- Scripted authentication API. Use scripted authentication to tie Splunk's authentication into an external authentication system, such as RADIUS or PAM. See "Set up user authentication with external systems" for more information.
Users are assigned to roles. A role contains a set of capabilities. These specify what actions are available to roles. For example, capabilities determine whether someone with a particular role is allowed to add inputs or edit saved searches. The various capabilities are listed in "About defining roles with capabilities" in the Securing Splunk manual.
By default, Splunk comes with the following roles predefined:
- admin -- this role has the most capabilities assigned to it.
- power -- this role can edit all shared objects (saved searches, etc) and alerts, tag events, and other similar tasks.
- user -- this role can create and edit its own saved searches, run searches, edit its own preferences, create and edit event types, and other similar tasks.
For detailed information on roles and how to assign users to roles, see the chapter "Users and role-based access control" in the Security Manual.
Find existing users and roles
To locate an existing user or role in Manager, use the Search bar at the top of the Users or Roles page in the Access Controls section of Splunk Manager. Wildcards are supported. Splunk searches for the string you enter in all available fields by default. To search a particular field, specify that field. For example, to search only email addresses, type "email=<email address or address fragment>:, or to search only the "Full name" field, type "realname=<name or name fragment>. To search for users in a given role, use "roles=".