Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add and edit roles

Add and edit roles using Splunk Web

In Splunk Web:

1. Click Manager.

2. Click Access controls.

3. Click Roles.

4. Click New or edit an existing role.

5. Specify new or changed information for this role. In particular, you can:

  • restrict what data this role can search with a search filter. See "Search file format" below.
  • restrict over how large of a window of time this role can search.
  • specify whether this role inherits capabilities and properties from any other roles.
  • choose individual capabilities for this role.
  • specify an index or indexes that this role will search by default.
  • specify whether this role is restricted to a specific index or indexes.

6. Click Save.

Add and edit roles using authorize.conf

Configure roles by editing authorize.conf. Roles are defined by lists of capabilities. You can also use roles to create fine-grained access controls by setting a search filter for each role.

Caution: Do not edit or delete any roles in $SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see About configuration files.

Add roles

Here's the syntax for adding roles through $SPLUNK_HOME/etc/system/local/authorize.conf:

<attribute> = <value>
<attribute> = <value>

The <roleName> in the stanza header is the name you want to give your role. For example: security, compliance, ninja.

The role name must be lowercase. For example: "role_security"

You can include these attributes in the role stanza:

  • <capability> = enabled
    • This can be any capability from the list in "List of available capabilities". You can have add any number of capabilities to a role.
    • Capabilities are disabled by default. To add a capability to a role, just set it to "enabled".
  • importRoles = <role>;<role>;...
    • When set, the current role will inherit all the capabilities from <role>.
    • Separate multiple roles, if any, with semicolons.
  • srchFilter = <search_string>
    • Use this field for fine-grained access controls. Searches for this role will be filtered by this expression.
    • See the next section for information on how to format the search filter.
  • srchTimeWin = <string>
    • Maximum time span (in seconds) of a search executed by this role.
  • srchDiskQuota = <int>
    • Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role.
  • srchJobsQuota = <int>
    • Maximum number of concurrently running searches a member of this role can have.
  • rtSrchJobsQuota = <number>
    • Maximum number of concurrently running real-time searches a member of this role can have.
  • srchIndexesDefault = <string>
    • Semicolon delimited list of indexes to search when no index is specified.
    • These indexes can be wildcarded, with the exception that '*' does not match internal indexes.
    • To match internal indexes, start with '_'. All internal indexes are represented by '_*'.
  • srchIndexesAllowed = <string>
    • Semicolon delimited list of indexes this role is allowed to search.
    • Follows the same wildcarding semantics as srchIndexesDefault.

Note: You must reload authentication or restart Splunk after making changes to authorize.conf. Otherwise, your new roles will not appear in the Role list. To reload authentication, go to the Manager > Authentication section of Splunk Web. This refreshes the authentication caches, but does not boot current users.

Search filter format

The srchFilter/Search filter field can include any of the following search terms:

  • source=
  • host= and host tags
  • index= and index names
  • eventtype= and event type tags
  • sourcetype=
  • search fields
  • wildcards
  • use OR to use multiple terms, or AND to make searches more restrictive

Note: Members of multiple roles inherit properties from the role with the broadest permissions. In the case of search filters, if a user is assigned to roles with different search filters, they are all combined via OR. For example, by default, the Power and User roles do not have a search term filter restriction defined (this field is blank) and they do not restrict search results by default. If a user has a combination of the Power or User role and another role that does have restricted search terms defined (for example, srchFilter=x), the open search associated with the default Power (or User) role will no longer apply (and that user role will have the restriction of srchFilter=x). If you want to maintain the default of no search filter for the Power (or User) role, you must explicitly add the srchFilter=* to the role.

The search terms cannot include:

  • saved searches
  • time operators
  • regular expressions
  • any fields or modifiers Splunk Web can overwrite

Example of creating a role in authorize.conf

This example creates the role "ninja", which inherits capabilities from the default "user" role. ninja has almost the same capabilities as the default "power" role, except it cannot schedule searches. In addition:

  • The search filter limits ninja to searching on host=foo.
  • ninja is allowed to search all public indexes (those that do not start with underscore) and will search the indexes mail and main if no index is specified in the search.
  • ninja is allowed to run 8 search jobs and 8 real-time search jobs concurrently. (These counts are independent.)
  • ninja is allowed to occupy up to 500MB total space on disk for all its jobs.
rtsearch = enabled
importRoles = user
srchFilter = host=foo
srchIndexesAllowed = *
srchIndexesDefault = mail;main
srchJobsQuota   = 8
rtSrchJobsQuota = 8
srchDiskQuota   = 500

List of available capabilities

This list shows capabilities available for roles. Check authorize.conf for the most up-to-date version of this list. The admin role has all the capabilities in this list except for the "delete_by_keyword" capability.

Capability Meaning
admin_all_objects Has access to objects in the system (user objects, search jobs, etc.).
change_authentication Can change authentication settings and reload authentication.
change_own_password Can change own user password.
delete_by_keyword Can use the "delete" search operator.
edit_deployment_client Can change deployment client settings.
edit_deployment_server Can change deployment server settings.
edit_dist_peer Can add and edit peers for distributed search.
edit_forwarders Can change forwarder settings.
edit_httpauths Can edit and end user sessions.
edit_input_defaults Can change default hostnames for input data.
edit_monitor Can add inputs and edit settings for monitoring files.
edit_roles Can edit roles and change user/role mappings.
edit_scripted Can create and edit scripted inputs.
edit_search_server Can edit general distributed search settings like timeouts, heartbeats, and blacklists.
edit_server Can edit general server settings like server name, log levels, etc.
edit_splunktcp Can change settings for receiving TCP inputs from another Splunk instance.
edit_splunktcp_ssl Can list or edit any SSL-specific settings for Splunk TCP input.
edit_tcp Can change settings for receiving general TCP inputs.
edit_udp Can change settings for UDP inputs.
edit_user Can create, edit, or remove users.
edit_web_settings Can change settings for web.conf.
get_metadata Enables the "metadata" search processor.
get_typeahead Enables typeahead.
indexes_edit Can change index settings like file size and memory limits.
license_tab Can access and change the license.
list_forwarders Can show forwarder settings.
list_httpauths Can list user sessions.
list_inputs Can list various inputs, including input from files, TCP, UDP, scripts, etc.
request_remote_tok Can get a remote authentication token.
rest_apps_management Can edit settings in the python remote apps handler.
rest_apps_view Can list properties in the python remote apps handler.
rest_properties_get Can get information from the services/properties endpoint.
rest_properties_set Can edit the services/properties endpoint.
restart_splunkd Can restart Splunk through the server control handler.
rtsearch Can run real-time searches.
schedule_search Can schedule saved searches.
search Can run searches.
use_file_operator Can use the "file" search operator.
Configure user session timeouts
Setting access to manager consoles and apps

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


There are 10 capabilities in 4.3 (not verified if the exist in earlier versions) that are not listed here:<br />edit_win_admon<br />edit_win_eventlogs<br />edit_win_perfmon<br />edit_win_regmon<br />edit_win_wmiconf<br />license_edit<br />list_deployment_client<br />list_pdfserver<br />list_win_localavailablelogs<br />write_pdfserver

Cbergman splunk, Splunker
February 7, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters