Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Create and manage users with Splunk Web

You can manage who has user access to your Splunk platform instance with the Users window. You can create and delete users, and you can also manage various aspects about users, including their name, email address, password, default time zone, and role assignment.

You access the Users control panel from anywhere in Splunk Web by selecting Settings > Users in the system bar.

The "Users" control panel

The "Users" control panel displays a list of all users that are on the Splunk platform instance. By default, the page lists the users ascending by name. The page displays the following information in columns, from left to right:

  • Name: The user name. You can click on the name to edit that user.
  • Actions: This column is a drop-down menu of actions that you can perform on the user. See "Perform actions on users" in this topic.
  • Authentication system: The authentication scheme that the user uses to log into the Splunk platform instance.
  • Full name: The full name of the user, as entered in the "Full Name" field on the individual user page.
  • Email address: The email address of the user, as entered in the "Email Address" field on the individual user page.
  • Time zone: The time zone that has been specified for the user. If the user uses the default system time zone, nothing appears here.
  • Default app: The default Splunk application context that a user is in when they log in.
  • Default app inherited from: The entity from which the user inherits the application context.
  • Roles: The roles of which the user is a member.
  • Last login: The last time the user successfully logged onto the instance. If nothing appears here, the user has never logged in.
  • Status: The current status of the user, as provided by the authentication scheme.

Sort the user list

You can click any of the column headers to sort the user list by that column header, with the exception of "Actions". Clicking a column header multiple times toggles whether the user list sorts in ascending or descending order.

Perform actions on users

You can perform several different actions on an existing user, including but not limited to making edits, cloning, viewing a list of capabilities that a user has, viewing the index inheritances that a user has, and performing a search in a user context. These actions are available under the Actions column for each user, and you can access them by clicking the Edit link in that column.

  • To edit a user, click Edit. The "Edit User" page appears. See "Edit a user" later in this topic for continued instructions.
  • To clone a user, click Clone. This action takes you through the "Create user" process to create an identical user.
  • To view all of the capabilities that a user has, click View Capabilities. This loads the "View Capabilities" page which lists all of the capabilities that the user has, based on the roles that the user holds.
  • To view the indexes that a user has access to through role inheritance, click View Indexes. This loads the "View Index Inheritance" page which shows what indexes.a user has access to based on the roles that they hold. See "View Index Inheritance for a user" later in this topic..
  • To run a search as a specific user, based on the indexes and search filters in the roles that they hold, click Search As. This loads a Search page where you can run a search within the framework of the indexes and search filters that are available to that user. The search runs with the capabilities of the admin user.
  • To delete a user, click Delete. The instance confirms whether or not you want to delete the user.

Create a user

  1. From the system bar, click Settings > Users.
  2. Click New User.
  3. In the Name field, provide a user name. This is the what the user provides at the login page.
  4. In the Full Name field, provide the full name of your user.
  5. In the Email Address field, provide the user email address.
  6. In the Set password field, create a password.
  7. Confirm the new password in the Confirm Password field.
  8. Confirm that the password you created meets the password requirements as displayed below the "Confirm password" field.
  9. Select the user's time zone in the Time Zone field.
  10. In the Default App field, select the app that the user will land in by default when they log into the Splunk platform instance. The default is "Home". "Search" is a common default app as well.
  11. In Assign to Roles, you can select any roles that you want for your user to hold.
  12. Click Create a role for user if you want to user's new assignments to be created as a role assigned specifically to this user.
  13. Check Require password change on first login to force your user to change their password when they first log into the Splunk platform instance.
  14. Click Save. The Splunk platform creates the user and returns you to the "Users" page.

Edit a user

  1. From the system bar, click Settings > Users.
  2. Either click the user name link in the Name column, or click the Edit link in the Actions column for the user you want to edit.
  3. In the Name field, provide a user name. This is what the user provides at the login page.
  4. In the Full Name field, provide the full name of your user.
  5. In the Email Address field, provide the user email address.
  6. In the Set password field, create a password.
  7. Confirm the new password in the Confirm Password field.
  8. Confirm that the password you created meets the password requirements as displayed below the "Confirm password" field.
  9. Select the user's time zone in the Time Zone field.
  10. In the Default App field, select the app that the user will land in by default. The default is "Home". "Search" is a common default app as well.
  11. In Assign to Roles, you can select any roles that you want for your user to hold.
  12. Click Create a role for user if you want to user's new assignments to be created as a role assigned specifically to this user.
  13. Check Require password change on next login to force your user to immediately change their password.
  14. Click Save. The Splunk platform creates the user and returns you to the "Users" page.

Run a search as a user

When you run a search as a user, you see results based on the roles that the user holds and the indexes that the user has access to. Additionally, the search includes any search filters that you have configured for the roles that the user holds.

  1. From the system bar, click Settings > Users.
  2. Click the Edit link in the Actions column for the user under which you want to run a search.
  3. Click "Search as..." A New Search window opens.
  4. In the Search bar, type in a valid Splunk search. The Splunk platform returns results based on the context of the user and the roles that the user holds, as well as any search filters that have been configured for those roles.

View index inheritances for a user

You can see how a user gets access to an index based on the roles that the user holds. The indexes that a user has access to determines the results that searches return.

You can only view inheritances of indexes on this page. To change which indexes a role has access to, visit the Roles page and either add or edit a role. See Create and manage roles with Splunk Web.

  1. From the system bar, click Settings > Users.
  2. Click the Edit link in the Actions column for the user under which you want to view index inheritance information.
  3. Click View Indexes... The View Index Inheritance page opens.
  4. In the Index field, either type in the name of an index, or click the field to show a list of indexes.
  5. Select the index whose inheritance you want to view by clicking it in the drop-down list box. The table on the page updates based on the inheritances for the index you specified, as follows:
    • The "Roles" column displays the roles that have access to the index you selected.
    • If the user you chose holds the role, Splunk Web displays a star next to it.
    • If the role has the index directly, or natively, assigned to it, a triangle appears in the Included column for that role.
    • If the index has directly been made the default index for the role, a triangle appears in the Default column for that role.
    • If the role inherits the index from another role, then a circle appears in the Included column for that role, and the inherited role appears in the Inherits from column for the role.
    • If the index is the default index for the role through an inheritance, a circle appears in the Default column for that role.

Splunk Web follows inheritances to their logical end. This means it always displays the roles that inherit from another role until it finds the roles which have the selected indexes defined natively. Given the following scenario:

  • User Fred holds role Role1,
  • Role Role1 inherits from role Role2
  • Role Role2 has indexes Index1 and Index2 assigned to it

If you selected Index1, the View Inheritances page would display the following:

  • The page lists both roles Role1 and Role2.
  • Role role1 has a star by it because user Fred holds that role.
  • Role role2 lists triangles under the Included and Default columns because role Role2 has those indexes assigned to it natively.
  • Role role1 lists circles under the Included and Default columns because role Role1 inherits from role Role2

If a user does not hold at least one role that has been assigned to the index you select, nothing appears in the View Index Inheritance table.

Delete a user

Deleting a user permanently removes their account and its associated information from the instance, and cannot be undone. You cannot remove the admin user.

  1. From the system bar, click Settings > Users.
  2. Click the Edit link in the Actions column for the user you want to edit.
  3. Click Delete.
  4. In the confirmation dialog box, click Delete.
Last modified on 22 August, 2020
PREVIOUS
Define roles on the Splunk platform with capabilities
  NEXT
Create and manage roles with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters