Related Answers
Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk.
Click here for the latest version.
Download topic as PDF
About defining roles with capabilities
When you create a user in Splunk Web you assign that user to one role. See "About role-based user access" for more information.
Each role contains a set of capabilities. You can add or edit capabilities for new, existing, and default roles. For example, you might give a role the capability to add inputs or edit saved searches.
To add or change the capabilties to a role in Splunk Web, see "Add and edit roles with Splunk Web." To create roles by editing authorize.conf, see "Add and edit roles with authorize.conf."
List of available capabilities
This list shows the capabilities that you can add to any role. Check authorize.conf for the most up-to-date version of this list. The admin role has all the capabilities in this list except for the "delete_by_keyword" capability.
| Capability name | What it lets you do |
|---|---|
accelerate_datamodel
|
Enable or disable acceleration for data models. |
accelerate_search
|
Enable or disable acceleration for reports. For a role to use this it must also have the schedule_search capability.
|
admin_all_objects
|
Access and modify any object in the system (user objects, search jobs, etc.). (Overrides any limits set in the objects.) |
change_authentication
|
Change authentication settings and reload authentication. |
change_own_password
|
User can change their own password. |
delete_by_keyword
|
Use the "delete" operator in searches. |
edit_deployment_client
|
Change deployment client settings. |
edit_deployment_server
|
Change deployment server settings. |
edit_dist_peer
|
Add and edit peers for distributed search. |
edit_forwarders
|
Change forwarder settings. |
edit_httpauths
|
Edit and end user sessions. |
edit_input_defaults
|
Change default hostnames for input data. |
edit_managed_configurations
|
Edit managed configurations. |
edit_monitor
|
Add inputs and edit settings for monitoring files. |
edit_roles
|
Edit roles and change user/role mappings. |
edit_scripted
|
Create and edit scripted inputs. |
edit_search_head_clustering
|
Edit search head clustering settings. |
edit_search_server
|
Edit general distributed search settings like timeouts, heartbeats, and blacklists. |
edit_server
|
Edit general server settings like server name, log levels, etc. |
edit_splunktcp
|
Change settings for receiving TCP inputs from another Splunk instance. |
edit_splunktcp_ssl
|
Can list or edit any SSL-specific settings for Splunk TCP input. |
edit_sourcetypes>
|
Edit sourcetypes. |
edit_tcp
|
Change settings for receiving general TCP inputs. |
edit_tcp_token
|
Change TCP tokens. This is an admin capability and should only be assigned to system administrators. |
edit_udp
|
Change settings for UDP inputs. |
edit_user
|
Create, edit, or remove users. |
edit_view_html
|
Create, edit, or modify HTML-based views. |
edit_web_settings
|
Change settings for web.conf. |
embed_report
|
Embed reports and disable embedding for embedded reports. |
get_diag
|
Use the /streams/diag endpoint to get a remote diag from a Splunk instance. |
get_metadata
|
Use the "metadata" search processor. |
get_typeahead
|
Use typeahead. |
indexes_edit
|
Change index settings like file size and memory limits. |
input_file
|
Add a file as an input. |
license_tab
|
Access and change the license. |
license_edit
|
Edit the license. |
list_deployment_client
|
View deployment client settings. |
list_deployment_server
|
View deployment server settings. |
list_forwarders
|
View forwarder settings. |
list_httpauths
|
View user sessions. |
list_inputs
|
View list of various inputs, including input from files, TCP, UDP, scripts, etc. |
list_search_scheduler
|
View lists of search scheduler jobs. |
output_file
|
Add a file as an output. |
pattern_detect
|
Controls ability to see and use the Patterns tab in the Search view. |
request_remote_tok
|
Get a remote authentication token. |
rest_apps_management
|
Edit settings in the python remote apps handler. |
rest_apps_view
|
List properties in the python remote apps handler. |
rest_properties_get
|
Can get information from the services/properties endpoint. |
rest_properties_set
|
Edit the services/properties endpoint. |
restart_splunkd
|
Restart Splunk through the server control handler. |
rtsearch
|
Run real-time searches. For rtsearch to work, scheduled_search must be enabled for this role as well. |
run_debug_commands
|
Run debug commands. |
schedule_search
|
Schedule saved searches, create and update alerts, and review triggered alert information. |
schedule_rtsearch
|
Schedule real-time saved searches. In order for a user to use this capability their role must also have the schedule_search capability.
|
search
|
Run searches. |
srchFilter
|
Lets users manage search filters. |
srchIndexesAllowed
|
User is allowed to search indexes. |
srchJobsQuota
|
Set search job quotas. |
srchMaxTime
|
Set the maximum time for a search. |
use_file_operator
|
Use the "file" search operator. |
srchIndexesDefault
|
Set default search indexes. |
Windows-specific capabilities
If you are running Splunk on Windows, additional capabilities are provided to facilitate monitoring.
| Capability name | What it lets you do |
|---|---|
edit_win_eventlogs
|
Edit windows eventlogs. |
list_win_localavailablelogs
|
List all local Windows event logs. |
list_pdfserver
|
|
write_pdfserver
|
|
srchTimeWin
|
Set search time limits. |
Last modified on 08 August, 2017
|
PREVIOUS About configuring role-based user access |
NEXT Add and edit roles with Splunk Web |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14
Feedback submitted, thanks!