Splunk® Enterprise

Securing the Splunk Platform

Download manual as PDF

Download topic as PDF

About configuring role-based user access

Roles let you control access to resources on the Splunk platform. When you configure role-based user access, you determine what permissions and capabilities that users have through the roles that they hold. As users cannot receive permissions and capabilities directly, roles connect users to how they interact with the Splunk platform.

You can assign roles to users to control the scope of the tasks that they can perform, the data they can search, and the amount of resources they can access on the platform. Users can hold multiple roles, and each role gives the user specific access to resources or platform actions, as the role defines them. Roles do not take away access, so if you do not want a user to perform a certain function, then that user must not hold the role that lets them perform that function.

For more information about users, see About user authentication.

Predefined roles

The Splunk platform comes with the following predefined roles:

  • admin: This role is intended for administrators who manage all or most of the users, objects, and configuration and comes with the most assigned capabilities.
  • power: This role can edit all shared objects (saved searches, etc) and alerts, tag events, and other similar tasks.
  • user: This role can create, edit, and run its own searches, save those searches, edit its own preferences, create and edit event types, and other similar tasks.
  • can_delete: This role lets the user delete by keyword. This capability is necessary when using the delete search operator.
  • sc_admin (Splunk Cloud only): This role lets users create other users and roles, but does not grant any other administrative capabilities.

Set permission granularity with custom roles

You can create custom roles and assign the roles to your users. Custom roles let you make granular adjustments to user access, including the following:

  • Role inheritance: You can have the role inherit certain properties from one or more existing roles. For more information, see "Role inheritance" in this topic.
  • Capabilities: You can specify which actions that a user that holds the role can perform, for example, change their password, change forwarder settings, and so on. See About defining roles with capabilities for more information.
  • Allowed and default indexes: You can limit access to specific indexes and set which indexes the Splunk platform searches by default.
  • Search restrictions: In addition to specifying the indexes that users that hold the role can search, you can also specify a search filter that limits the search results that these users can see. For additional information, see "Search restrictions" in this topic.
  • Resource access: You can control how many standard and real-time searches that all users that hold the role can run at one time, as well as individual limits for each user. You can restrict searches to a certain time window, and control how much disk space is available for search jobs that a user with this role creates.

You can create and manage any roles, including the predefined ones, by either using Splunk Web or making edits to configuration files.

Search restrictions

In addition to controlling the indexes that a role holder can search, you can further limit what results that searches of those indexes return. The search filter combines with the base search that the user runs to determine the final data set that the user sees. The Splunk platform removes results that match the filter, which means there are fewer results than if there was no filter.

Search filters are limited to certain specific fields and operators. You can create a search filter manually by typing it in, or you can use the search filter generator to create it automatically, based on the number of indexes you select and the indexed fields and values that those indexes contain. With the search filter generator, you can create complex search filters without a need to worry about syntax. You can preview what a search with this filter applied will look like when you run it, so that you can be confident your users get the search results you expect when they use it.

See Create and manage roles with Splunk Web for information on how to set search filters and use the search filter generator.

Role inheritance

Roles do not take away access. Users that hold multiple roles inherit the permissions and capabilities of the role that has the broadest permissions. Roles that have more permissions supersede roles that have fewer. If you want to limit access to resources, create and assign roles that establish those limits, and do not let those roles inherit from roles that do not establish those limits.

How users inherit search filter restrictions

If a user holds roles with different search filters, the Splunk platform combines the filters and applies the restrictions of each search filter.

For example, the "power" and "user" roles do not define any search filters to restrict searches by default. If a user holds both these roles, and you assign another role to them that does have a defined filter, then they inherit the search restrictions that come with the third role, even though the "power" and "user" roles do not have a search filter.

How users inherit allowed indexes

Users that hold multiple roles receive the most permissive access that each role that they hold can provide.

For example, say you have a custom role called "simple_user" which limits access to a single index, and another custom role called "advanced_user", which has more capabilities and permits access to all indexes. If you assign both roles to the same user, that user receives access to all indexes through the "advanced user" role, even though the "simple user" role limits access to a single index. As roles do not take away access, if you want to grant the capabilities of the "advanced_user" role while limiting index access to one index with the "simple_user" role, the best practice is to create a custom role that combines the capability and index access that you want the user to have.

How users inherit capabilities

Users that hold multiple roles receive the most permissive amount of capabilities that each role that they hold can provide.

For example, if you assign a user the "admin" and "advanced_user" roles, the user receives the capabilities that come with both roles, even though the "advanced_user" role might have fewer capabilities than the "admin" role.

Last modified on 27 February, 2020
PREVIOUS
About user authentication
  NEXT
Define roles on the Splunk platform with capabilities

This documentation applies to the following versions of Splunk® Enterprise: 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters