The following are the spec and example files for authorize.conf.
# Version 6.3.10 # # This file contains possible attribute/value pairs for creating roles in # authorize.conf. You can configure roles and granular access controls by # creating your own authorize.conf. # There is an authorize.conf in $SPLUNK_HOME/etc/system/default/. To set # custom configurations, place an authorize.conf in # $SPLUNK_HOME/etc/system/local/. For examples, see authorize.conf.example. # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top # of the file. # * Each conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in # the file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence.
srchFilterSelecting = <boolean> * Determine's whether roles' search filters will be used for selecting or eliminating during role inheritance. * Selecting will join the search filters with an OR when combining the filters. * Eliminating will join the search filters with an AND when combining the filters. * All roles will default to true (in other words, selecting). * Example: * role1 srchFilter = sourcetype!=ex1 with selecting=true * role2 srchFilter = sourcetype=ex2 with selecting = false * role3 srchFilter = sourcetype!=ex3 AND index=main with selecting = true * role3 inherits from role2 and role 2 inherits from role1 * Resulting srchFilter = ((sourcetype!=ex1) OR (sourcetype!=ex3 AND index=main)) AND ((sourcetype=ex2))
* DO NOT edit, remove, or add capability stanzas. The existing capabilities are the full set of Splunk system capabilities. * Splunk adds all of its capabilities this way * For the default list of capabilities and assignments, see authorize.conf under the 'default' directory * Descriptions of specific capabilities are listed below.
<capability> = <enabled> * A capability that is enabled for this role. * You can list many of these. * Note that 'enabled' is the only accepted value here, as capabilities are disabled by default. * Roles inherit all capabilities from imported roles, and inherited capabilities cannot be disabled. * Role names cannot have uppercase characters. User names, however, are case-insensitive. importRoles = <string> * Semicolon delimited list of other roles and their associated capabilities that should be imported. * Importing other roles also imports the other aspects of that role, such as allowed indexes to search. * By default a role imports no other roles. grantableRoles = <string> * Semicolon delimited list of roles that can be granted when edit_user capability is present. * By default, a role with edit_user capability can create/edit a user and assign any role to them. But when grantableRoles is present, the roles that can be assigned will be restricted to the ones provided. * For a role that has no edit_user capability, grantableRoles has no effect. * Defaults to not present. * Example: grantableRoles = role1;role2;role3 srchFilter = <string> * Semicolon delimited list of search filters for this Role. * By default we perform no search filtering. * To override any search filters from imported roles, set this to '*', as the 'admin' role does. srchTimeWin = <number> * Maximum time span of a search, in seconds. * This time window limit is applied backwards from the latest time specified in a search. * By default, searches are not limited to any specific time window. * To override any search time windows from imported roles, set this to '0' (infinite), as the 'admin' role does. * -1 is a special value that implies no search window has been set for this role * This is equivalent to not setting srchTimeWin at all, which means it can be easily overridden by an imported role srchDiskQuota = <number> * Maximum amount of disk space (MB) that can be used by search jobs of a user that belongs to this role * Defaults to '100', for 100 MB. srchJobsQuota = <number> * Maximum number of concurrently running historical searches a member of this role can have. * This excludes real-time searches, see rtSrchJobsQuota. * Defaults to 3. rtSrchJobsQuota = <number> * Maximum number of concurrently running real-time searches a member of this role can have. * Defaults to 6. srchMaxTime = <number><unit> * Maximum amount of time that searches of users from this role will be allowed to run. * Once the search has been ran for this amount of time it will be auto finalized, If the role * Inherits from other roles, the maximum srchMaxTime value specified in the included roles. * This maximum does not apply to real-time searches. * Examples: 1h, 10m, 2hours, 2h, 2hrs, 100s * Defaults to 100days srchIndexesDefault = <string> * Semicolon delimited list of indexes to search when no index is specified * These indexes can be wildcarded, with the exception that '*' does not match internal indexes * To match internal indexes, start with '_'. All internal indexes are represented by '_*' * Defaults to none, but the UI will automatically populate this with 'main' in manager srchIndexesAllowed = <string> * Semicolon delimited list of indexes this role is allowed to search * Follows the same wildcarding semantics as srchIndexesDefault * Defaults to none, but the UI will automatically populate this with '*' in manager cumulativeSrchJobsQuota = <number> * Maximum number of concurrently running historical searches that all members of this role can have. * If a user belongs to multiple roles, he or she will first consume searches from the role with the largest cumulative search quota. Once the quota for a role is used up, roles with lower quotas will be examined. * In search head clustering environments, this setting takes effect on a per-node basis. There is no cluster-wide accounting. cumulativeRTSrchJobsQuota = <number> * Maximum number of concurrently running real-time searches that all members of this role can have. * If a user belongs to multiple roles, he or she will first consume searches from the role with the largest cumulative search quota. Once the quota for a role is used up, roles with lower quotas will be examined. * In search head clustering environments, this setting takes effect on a per-node basis. There is no cluster-wide accounting. ### Descriptions of Splunk system capabilities
* Required to accelerate a datamodel.
* A role with this capability has access to objects in the system (user objects, search jobs, etc.) * This bypasses any ACL restrictions (similar to root access in a *nix environment) * We check this capability when accessing manager pages and objects
* Required to change authentication settings through the various authentication endpoints. * Also controls whether authentication can be reloaded
* Self explanatory. Some auth systems prefer to have passwords be immutable for some users.
* Required to use the 'delete' search operator. Note that this does not actually delete the raw data on disk. * Delete merely masks the data (via the index) from showing up in search results.
* Self explanatory. The deployment client admin endpoint requires this cap for edit.
* Self explanatory.
* Self explanatory. The deployment server admin endpoint requires this cap for edit. * Required to change/create remote inputs that get pushed to the forwarders.
* Self explanatory.
* Required to add and edit peers for distributed search.
* Required to edit settings for forwarding data. * Used by TCP and Syslog output admin handlers * Includes settings for SSL, backoff schemes, etc.
* Required to edit and end user sessions through the httpauth-tokens endpoint
* Required to change the default hostname for input data in the server settings endpoint.
* Required to add inputs and edit settings for monitoring files. * Used by the standard inputs endpoint as well as the one-shot input endpoint.
* Required to edit roles as well as change the mappings from users to roles. * Used by both the users and roles endpoint.
* Required to create and edit scripted inputs.
* Required to edit general distributed search settings like timeouts, heartbeats, and blacklists
* Required to edit general server settings such as the server name, log levels, etc.
* Required to edit and manage search head clustering.
* Required to disable/enable the search scheduler.
* Required to display search scheduler settings.
* Required to create and edit sourcetypes.
* Required to change settings for receiving TCP input from another Splunk instance.
* Required to list or edit any SSL specific settings for Splunk TCP input.
* Required to change settings for receiving general TCP inputs.
* Required to change settings for UDP inputs.
* Required to create, edit, display and remove settings for HTTP token input.
* Required to create, edit, or remove users. * Note that Splunk users may edit certain aspects of their information without this capability. * Also required to manage certificates for distributed search.
* Required to create, edit, or otherwise modify HTML-based views.
* Required to change the settings for web.conf through the system settings endpoint.
* Required to use the /streams/diag endpoint to get remote diag from an instance
* Required to use the 'metadata' search processor.
* Required for typeahead. This includes the typeahead endpoint and the 'typeahead' search processor.
* Required for inputcsv (except for dispatch=t mode) and inputlookup
* Required to change any index settings like file size and memory limits.
* Required to access and change the license.
* Required to show settings for forwarding data. * Used by TCP and Syslog output admin handlers.
* Required to list user sessions through the httpauth-tokens endpoint.
* Required to view the list of various inputs. * This includes input from files, TCP, UDP, Scripts, etc.
* Required to list search head clustering objects like artifacts, delegated jobs, members, captain, etc.
* Required for outputcsv (except for dispatch=t mode) and outputlookup
* Required to get a remote authentication token. * Used for distributing search to old 4.0.x Splunk instances. * Also used for some distributed peer management and bundle replication.
* Required to edit settings for entries and categories in the python remote apps handler. * See restmap.conf for more information
* Required to list various properties in the python remote apps handler. * See restmap.conf for more info
* Required to get information from the services/properties endpoint.
* Required to edit the services/properties endpoint.
* Required to restart Splunk through the server control handler.
* Required to run a realtime search.
* Required to run debugging commands like 'summarize'
* Required to schedule saved searches.
* Required to schedule real time saved searches. Note that scheduled_search capability is also required to be enabled
* Self explanatory - required to run a search.
* Required to use the 'file' search operator.
* Required to save an accelerated search * All users have this capability by default
* Required to access /_bump and /debug/** web debug endpoints
# Version 6.3.10 # # This is an example authorize.conf. Use this file to configure roles and # capabilities. # # To use one or more of these configurations, copy the configuration block # into authorize.conf in $SPLUNK_HOME/etc/system/local/. You must reload # auth or restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles [role_ninja] rtsearch = enabled importRoles = user srchFilter = host=foo srchIndexesAllowed = * srchIndexesDefault = mail;main srchJobsQuota = 8 rtSrchJobsQuota = 8 srchDiskQuota = 500 # This creates the role 'ninja', which inherits capabilities from the 'user' # role. ninja has almost the same capabilities as power, except cannot # schedule searches. # # The search filter limits ninja to searching on host=foo. # # ninja is allowed to search all public indexes (those that do not start # with underscore), and will search the indexes mail and main if no index is # specified in the search. # # ninja is allowed to run 8 search jobs and 8 real time search jobs # concurrently (these counts are independent). # # ninja is allowed to take up 500 megabytes total on disk for all their jobs.
This documentation applies to the following versions of Splunk® Enterprise: 6.3.10