
Add and edit roles with authorize.conf
You can add or modify roles by editing authorize.conf. Users are assigned to roles which determine the level of access to Splunk and the tasks that they can perform with Splunk. For more information about roles and capabilities, read "About role-based user access."
Caution: Do not edit or delete any roles in $SPLUNK_HOME/etc/system/default/authorize.conf
. This could break your admin capabilities. Edit this file in $SPLUNK_HOME/etc/system/local/
, or your own custom application directory in $SPLUNK_HOME/etc/apps/
. For more information on configuration files in general, see "About configuration files" in the Admin Manual.
Note: Distributed search configurations have slightly different authorization needs. When you use search head pooling, you must make sure that the search heads and the search peers all use the same set of authorize.conf file(s). To make sure your authorization is properly set up for search pooling, see "How authorization works in distributed searches."
Add roles
Here's the syntax for adding roles through $SPLUNK_HOME/etc/system/local/authorize.conf
:
[role_<roleName>] <attribute> = <value> <attribute> = <value> ...
The <roleName>
in the stanza header is the name you want to give your role. For example: security
, compliance
, ninja
.
Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes.
You can include these attributes in the role stanza:
-
<capability> = enabled
- You can add any number of capabilities to a role. See "About defining roles with capabilities" for more information.
- Capabilities are disabled by default. To add a capability to a role, just set it to "enabled".
-
importRoles = <role>;<role>;...
- When set, the current role will inherit all the capabilities from
<role>
. Members assigned to multiple roles inherit properties from the role with the broadest permissions. See "Role inheritance" in the "About users and roles" topic for more information. - Separate multiple roles, if any, with semicolons.
- When set, the current role will inherit all the capabilities from
-
srchFilter = <search_string>
- Use this field for fine-grained access controls. Searches for this role will be filtered by this expression. See "Search filter format" in this topic for more information.
-
srchTimeWin = <string>
- Maximum time span (in seconds) of a search executed by this role.
-
srchDiskQuota = <int>
- Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role.
-
srchJobsQuota = <int>
- Maximum number of concurrently running searches a member of this role can have.
-
rtSrchJobsQuota = <number>
- Maximum number of concurrently running real-time searches a member of this role can have.
-
srchIndexesDefault = <string>
- Semicolon delimited list of indexes to search when no index is specified.
- These indexes can be wildcarded, with the exception that '*' does not match internal indexes.
- To match internal indexes, start with '_'. All internal indexes are represented by '_*'.
-
srchIndexesAllowed = <string>
- Semicolon delimited list of indexes this role is allowed to search.
- Follows the same wildcarding semantics as
srchIndexesDefault
.
Note: You must reload authentication or restart Splunk after making changes to authorize.conf
. Otherwise, your new roles will not appear in the Role list. To reload authentication, go to the Manager > Authentication section of Splunk Web. This refreshes the authentication caches, but does not boot current users.
Search filter format
The srchFilter
/ field can include any of the following search terms:
-
source=
-
host=
and host tags -
index=
and index names -
eventtype=
and event type tags -
sourcetype=
- search fields
- wildcards
- use
OR
to use multiple terms, orAND
to make searches more restrictive.
The search terms cannot include:
- saved searches
- time operators
- regular expressions
- any fields or modifiers Splunk Web can overwrite
Example of creating a role in authorize.conf
This example creates the role "ninja", which inherits capabilities from the default "user" role. ninja has almost the same capabilities as the default "power" role, except it cannot schedule searches. In addition:
- The search filter limits ninja to searching on
host=foo
. - ninja is allowed to search all public indexes (those that do not start with underscore) and will search the indexes
mail
andmain
if no index is specified in the search. - ninja is allowed to run 8 search jobs and 8 real-time search jobs concurrently. (These counts are independent.)
- ninja is allowed to occupy up to 500MB total space on disk for all its jobs.
[role_ninja] rtsearch = enabled importRoles = user srchFilter = host=foo srchIndexesAllowed = * srchIndexesDefault = mail;main srchJobsQuota = 8 rtSrchJobsQuota = 8 srchDiskQuota = 500
PREVIOUS Add and edit roles with Splunk Web |
NEXT Setting access to manager consoles and apps |
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18
Feedback submitted, thanks!