Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About defining roles with capabilities

When you create a user in Splunk Web you assign that user to one role. See "About role-based user access" for more information.

Each role contains a set of capabilities. You can add or edit capabilities for new, existing, and default roles. For example, you might give a role the capability to add inputs or edit saved searches.

To add or change the capabilties to a role in Splunk Web, see "Add and edit roles with Splunk Web." To create roles by editing authorize.conf, see "Add and edit roles with authorize.conf."

List of available capabilities

This list shows the capabilities that you can add to any role. Check authorize.conf for the most up-to-date version of this list. The admin role has all the capabilities in this list except for the "delete_by_keyword" capability.

Capability name What it lets you do
accelerate_datamodel Enable or disable acceleration for data models.
accelerate_search Enable or disable acceleration for reports. For a role to use this it must also have the schedule_search capability.
admin_all_objects Access and modify any object in the system (user objects, search jobs, etc.). (Overrides any limits set in the objects.)
change_authentication Change authentication settings and reload authentication.
change_own_password User can change their own password.
delete_by_keyword Use the "delete" operator in searches.
edit_deployment_client Change deployment client settings.
edit_deployment_server Change deployment server settings.
edit_dist_peer Add and edit peers for distributed search.
edit_forwarders Change forwarder settings.
edit_httpauths Edit and end user sessions.
edit_input_defaults Change default hostnames for input data.
edit_monitor Add inputs and edit settings for monitoring files.
edit_roles Edit roles and change user/role mappings.
edit_scripted Create and edit scripted inputs.
edit_search_server Edit general distributed search settings like timeouts, heartbeats, and blacklists.
edit_server Edit general server settings like server name, log levels, etc.
edit_splunktcp Change settings for receiving TCP inputs from another Splunk instance.
edit_splunktcp_ssl Can list or edit any SSL-specific settings for Splunk TCP input.
edit_tcp Change settings for receiving general TCP inputs.
edit_udp Change settings for UDP inputs.
edit_user Create, edit, or remove users.
edit_view_html Create, edit, or modify HTML-based views.
edit_web_settings Change settings for web.conf.
embed_report Embed reports and disable embedding for embedded reports.
get_diag Use the /streams/diag endpoint to get a remote diag from a Splunk instance.
get_metadata Use the "metadata" search processor.
get_typeahead Use typeahead.
indexes_edit Change index settings like file size and memory limits.
input_file Add a file as an input.
license_tab Access and change the license.
license_edit Edit the license.
list_deployment_client View deployment client settings.
list_deployment_server View deployment server settings.
list_forwarders View forwarder settings.
list_httpauths View user sessions.
list_inputs View list of various inputs, including input from files, TCP, UDP, scripts, etc.
output_file Add a file as an output.
request_remote_tok Get a remote authentication token.
rest_apps_management Edit settings in the python remote apps handler.
rest_apps_view List properties in the python remote apps handler.
rest_properties_get Can get information from the services/properties endpoint.
rest_properties_set Edit the services/properties endpoint.
restart_splunkd Restart Splunk through the server control handler.
rtsearch Run real-time searches.
run_debug_commands Run debug commands.
schedule_search Schedule saved searches, create and update alerts, and review triggered alert information.
schedule_rtsearch Schedule real-time saved searches. In order for a user to use this capability their role must also have the schedule_search capability.
search Run searches.
use_file_operator Use the "file" search operator.
PREVIOUS
About configuring role-based user access
  NEXT
Add and edit roles with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters