Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Setting access to manager consoles and apps

The local.meta file is handy for allowing you to grant and restrict access to certain parts of your Splunk instance. For example, you can:

  • Restrict users in custom roles to a specific app
  • Give users in custom roles the ability to access admin level features

Granting admin roles to users

Some management abilities that belong to the Admin role are unique to that specific label. These abilities are not automatically inherited from the Admin role when you configure a role in Splunk Web or authorize.conf.

For example, say you want to create a custom role that inherits all of the Admin abilities but has limited access to your search jobs. To do this, you would create a new role called "SpecialAdmin" and set it to inherit all of the capabilities of an Admin as described in About defining roles with capabilities then set your search limits About configuring role-based user access.

Restricting access to specific apps

The local.meta file can also be used to restrict access.

For example, say you want to allow a user access to only one dashboard view. To accomplish this, you could create an app for that view and assign the user's role to that app. You should use local.meta to permit the role to view that app.

How to add and remove access via local.meta files

You can give or restrict access by editing the local.meta file to add the new role wherever you want it.

1. Locate the local.meta file. If you are editing access for the main search page (ie, the manager controls), look in $SPLUNK_HOME/etc/system/metadata/. If you want to edit access to a particular app, look in $SPLUNK_HOME/etc/apps/<app_name>/metadata/. If the directory for the desired location does not contain the file, you can copy the default version default.meta and rename it.

Note: Do NOT edit the default.meta file directly, you may need the default values in that file at a future time.

2. In the local.meta file, add the name of the new role to the stanza that corresponds with the desired access.

Default stanza What it does

access = read : [ * ], write : [ admin, power ]

Allow all users to read this app's contents, or access functions in the Splunk Manager page, depending on the directory you are in. Unless overridden by other metadata, allows only admin and power users to share objects into this app.

[views] [manager/accesscontrols] access = read : [ * ], write : [ admin ]

Determines the access controls for the Manager page access.

3. When you have made all of your changes, restart Splunk Enterprise.


Example 1: A new role called "usermanager" only inherits capabilities from a user and has no searches or indexes inherited. The intent is to create a role that has no access to data and is solely used to create and manage user accounts.

To create this role you would edit the following stanza:

access = read : [ admin ], write : [ admin ]

To include the following:

access = read : [ admin, usermanager ], write : [ admin, usermanager ]

You have just given "usermanager" the ability to see and edit stuff in the "Access controls" pages in Manager.

Example 2: To enable the role "userview," to access but not edit the pages, only add the role to the read value:

access = read : [ admin, userview, usermanager ], write : [ admin, usermanager ]

You can also grant access to read the manager pages to EVERY role using the wildcard:

access = read : [ * ], write : [ admin ]

Example 3: You want to have a subset of users who can only read sales data that you specify. To accomplish this you can create an app for the dashboard and then create a new role "salesusers."

In the local.meta file in your app directory (remember that you can create one from the default.meta file), you then edit the following stanza:

access = read : [ * ], write : [ * ]

to read:

access = read : [ salesusers ], write : [ admin ]
Last modified on 18 July, 2018
Add and edit roles with authorize.conf
Find existing users and roles

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.10, 7.0.11, 7.0.13, 6.3.1, 7.0.3, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0, 8.2.1, 7.0.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters