Add and edit roles with Splunk Web
When you create users, you assign them to roles that determine the level of access to Splunk and the tasks that they can perform with Splunk. Splunk comes with a set of default roles that you can use, and you can also create your own.
For more information about roles and how capabilities and permissions are inherited read "About role-based user access."
Note: Custom roles that inherit from Admin or Power users do not automatically inherit management access. For more information about granting management access to custom roles, see "Add access controls to custom roles."
Add or edit a role
To create or edit roles in Splunk Web:
1. Click Settings > Access Controls.
2. Click Access controls page click Roles.
3. Click New or edit an existing role. Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes.
4. Specify Search restrictions for this role. You create and restrict data access control and search capacity by specifying search restrictions.
- Restrict search terms: You can create search strings that determine what data will (or will not) display for a user assigned to the role. See "Search filter format" in this topic.
- Restrict search time range: specify over how large of a window of time this role can search.
- Limit concurrent search jobs: specify the maximum number of search jobs that can be run at one time for this role.
- Limit concurrent real-time search jobs: Specify the number of real-time search jobs that can be run at the same time for this role.
- Limit total jobs disk quota: Specify the total disc space you want to dedicate to search jobs for each user assigned to the role.
5. In the Inheritance section, select roles that you want your new role from which you want to inherit capabilities and properties. A user assigned to multiple roles inherits properties from the role with the broadest permissions. See "Role inheritance" in the "About role-based user access" topic for more information.
6. In the Capabilities section, choose any individual capabilities you want to provide to this role. See "About defining roles with capabilities" for more information.
7. In Indexes searched by default specify the indexes that this role will automatically search of no index is specified in the search.
8. In Indexes select indexes the user is allowed to search. If you add at least one index, a user with this role will only be able to conduct searches on the index or indexes selected. If you do not specify any indexes at all, the user assigned to the role is able to search all indexes.
9. Click Save.
Search filter format
The Search filter field can include any of the following search terms:
- search fields
ORto use multiple terms, or
ANDto make searches more restrictive
The search terms cannot include:
- saved searches
- time operators
- regular expressions
- any fields or modifiers Splunk Web can overwrite
About defining roles with capabilities
Add and edit roles with authorize.conf
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14