Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About defining roles with capabilities

When you create a user in Splunk Web you assign that user to one role. See "About role-based user access" for more information.

Each role contains a set of capabilities. You can add or edit capabilities for new, existing, and default roles. For example, you might give a role the capability to add inputs or edit saved searches.

To add or change the capabilties to a role in Splunk Web, see "Add and edit roles with Splunk Web." To create roles by editing authorize.conf, see "Add and edit roles with authorize.conf."

List of available capabilities

This list shows the capabilities that you can add to any role. Check authorize.conf for the most up-to-date version of this list. The admin role has all the capabilities in this list except for the "delete_by_keyword" capability.

Capability name What it lets you do
accelerate_datamodel Enable or disable acceleration for data models.
accelerate_search Enable or disable acceleration for reports. For a role to use this it must also have the schedule_search capability.
admin_all_objects Access and modify any object in the system (user objects, search jobs, etc.). (Overrides any limits set in the objects.)
change_authentication Change authentication settings and reload authentication.
change_own_password User can change their own password.
delete_by_keyword Use the "delete" operator in searches.
edit_deployment_client Change deployment client settings.
edit_deployment_server Change deployment server settings.
edit_dist_peer Add and edit peers for distributed search.
edit_forwarders Change forwarder settings.
edit_httpauths Edit and end user sessions.
edit_input_defaults Change default hostnames for input data.
edit_managed_configurations Edit managed configurations.
edit_monitor Add inputs and edit settings for monitoring files.
edit_roles Edit roles and change user/role mappings.
edit_scripted Create and edit scripted inputs.
edit_search_head_clustering Edit search head clustering settings.
edit_search_server Edit general distributed search settings like timeouts, heartbeats, and blacklists.
edit_server Edit general server settings like server name, log levels, etc.
edit_splunktcp Change settings for receiving TCP inputs from another Splunk instance.
edit_splunktcp_ssl Can list or edit any SSL-specific settings for Splunk TCP input.
edit_sourcetypes> Edit sourcetypes.
edit_tcp Change settings for receiving general TCP inputs.
edit_tcp_token Change TCP tokens. This is an admin capability and should only be assigned to system administrators.
edit_udp Change settings for UDP inputs.
edit_user Create, edit, or remove users.
edit_view_html Create, edit, or modify HTML-based views.
edit_web_settings Change settings for web.conf.
embed_report Embed reports and disable embedding for embedded reports.
get_diag Use the /streams/diag endpoint to get a remote diag from a Splunk instance.
get_metadata Use the "metadata" search processor.
get_typeahead Use typeahead.
indexes_edit Change index settings like file size and memory limits.
input_file Add a file as an input.
license_tab Access and change the license.
license_edit Edit the license.
list_deployment_client View deployment client settings.
list_deployment_server View deployment server settings.
list_forwarders View forwarder settings.
list_httpauths View user sessions.
list_inputs View list of various inputs, including input from files, TCP, UDP, scripts, etc.
list_search_scheduler View lists of search scheduler jobs.
output_file Add a file as an output.
pattern_detect Controls ability to see and use the Patterns tab in the Search view.
request_remote_tok Get a remote authentication token.
rest_apps_management Edit settings in the python remote apps handler.
rest_apps_view List properties in the python remote apps handler.
rest_properties_get Can get information from the services/properties endpoint.
rest_properties_set Edit the services/properties endpoint.
restart_splunkd Restart Splunk through the server control handler.
rtsearch Run real-time searches. For rtsearch to work, scheduled_search must be enabled for this role as well.
run_debug_commands Run debug commands.
schedule_search Schedule saved searches, create and update alerts, and review triggered alert information.
schedule_rtsearch Schedule real-time saved searches. In order for a user to use this capability their role must also have the schedule_search capability.
search Run searches.
srchFilter Lets users manage search filters.
srchIndexesAllowed User is allowed to search indexes.
srchJobsQuota Set search job quotas.
srchMaxTime Set the maximum time for a search.
use_file_operator Use the "file" search operator.
srchIndexesDefault Set default search indexes.

Windows-specific capabilities

If you are running Splunk on Windows, additional capabilities are provided to facilitate monitoring.

Capability name What it lets you do
edit_win_eventlogs Edit windows eventlogs.
list_win_localavailablelogs List all local Windows event logs.
srchTimeWin Set search time limits.
Last modified on 08 August, 2017
About configuring role-based user access
Add and edit roles with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters