You can add or modify roles by editing authorize.conf. Users are assigned to roles that determine their level of access and the tasks that they can perform. For more information about roles and capabilities, read About role-based user access.
Never edit or delete roles in
$SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Instead edit the local version at
$SPLUNK_HOME/etc/system/local/, or your own custom application directory in
You must reload authentication or restart Splunk Enterprise after making changes to
authorize.conf. Otherwise, your new roles will not appear in the Role list. To reload authentication, go to the Manager > Authentication section of Splunk Web. This refreshes the authentication caches but does not boot current users from the system.
For more information, see
Note: Distributed search configurations have slightly different authorization needs. When you use search head clustering, you must make sure that the search heads and the search peers all use the same set of
authorize.conf file(s). To make sure your authorization is properly set up for search pooling, see How authorization works in distributed searches.
Here's the syntax for adding roles through
[role_<roleName>] <setting> = <value> <setting> = <value> ...
<roleName> in the stanza header is the name you want to give your role. For example:
Role names must use lowercase characters only. They cannot contain spaces, colons, semicolons, or forward slashes.
You can include these settings in the role stanza:
|Setting||Definition||Default||For more information|
||You can add any number of capabilities to a role. To add a capability to a role, just set that capability to "enabled".||
||See About defining roles with capabilities.|
|| When set, the current role inherits the capabilities from
||No roles set.||See Role inheritance.|
||This setting lets you define detailed data access controls. Users with this role will have their searches filtered by this expression.||No filters are set.||See Search filter format.|
||The maximum time span in seconds allowed for a search executed by a user in this role.||Not set. Search times are not limited.|
||The maximum amount of disk space (MB) that can be used by search jobs performed by a user assigned to this role.||100|
|| The maximum number of concurrently running historical searches that all members of this role can have. For this setting to apply, you must also set
When a user belongs to multiple roles, the user uses searches from the roles with the largest cumulative search quota first. When the quota for that role is completely used up, roles with lower quotas are used.
|| The maximum number of concurrently running real-time searches that all members of this role can have. For this setting to apply, you must also set
If the user belongs to multiple roles, the user uses searches from the roles with the largest cumulative search quota first. When the quota for that role is completely used up, roles with lower quotas are used.
||The maximum number of concurrently running searches a member of this role can have.||3|
||The maximum number of concurrently running real-time searches a member of this role can have.||6|
|| A semicolon-delimited list of default indexes to search when no index is specified.
The list can include both event indexes and metric indexes. When the user runs an event search that does not specify an index, the search runs over the default event indexes. When the user runs a metrics search that does not specify an index, the search runs over the default metrics indexes.
|| A semicolon-delimited list of indexes this role is allowed to search. The list can include both event and metrics indexes.
You can wildcard your entries. However the wildcard '*' will not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'.
Search filter format
srchFilter field can include any of the following search terms:
host=and host tags
index=and index names
eventtype=and event type tags
- search fields
ORto use multiple terms, or
ANDto make searches more restrictive.
The search terms cannot include:
- saved searches
- time operators
- regular expressions
- any fields or modifiers Splunk Web can overwrite
This example creates the role "ninja", which inherits capabilities from the default "user" role. ninja has almost the same capabilities as the default "power" role, except it cannot schedule searches. In addition:
- The search filter limits ninja to searching on
- ninja is allowed to search all public indexes (those that do not start with underscore) and will search the indexes
mainif no index is specified in the search.
- ninja is allowed to run 8 search jobs and 8 real-time search jobs concurrently. (These counts are independent.)
- ninja is allowed to occupy up to 500MB total space on disk for all its jobs.
[role_ninja] rtsearch = enabled importRoles = user srchFilter = host=foo srchIndexesAllowed = * srchIndexesDefault = mail;main srchJobsQuota = 8 rtSrchJobsQuota = 8 srchDiskQuota = 500
Add and edit roles with Splunk Web
Setting access to manager consoles and apps
This documentation applies to the following versions of Splunk® Enterprise: 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6