Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Setting access to manager consoles and apps in Splunk Enterprise

On Splunk Enterprise instances only, you can use the local.meta file to grant and restrict access to certain parts of your Splunk Enterprise instance.

This file is not accessible on Splunk Cloud instances. On a Splunk Cloud instance, use and edit roles with Splunk Web to grant access to your Splunk Cloud deployment.

Examples of managing access to manager consoles and Splunk apps

With the local.meta file, you can:

  • Restrict users in custom roles to a specific app
  • Give users in custom roles the ability to access admin level features

Grant admin roles to users

Some management abilities that belong to the admin role are unique to that specific label. These abilities are not automatically inherited from the admin role when you configure a role in Splunk Web or the authorize.conf configuration file.

For example, say you want to create a custom role that inherits all of the abilities of the admin role but has limited access to search jobs. To do this, you would create a new role called "specialAdmin" and set it to inherit all of the capabilities of the admin role, as described in About defining roles with capabilities. Then, you would set your search limits, as described in About configuring role-based user access.

Restrict access to specific apps

You can also use the local.meta file to restrict access.

For example, say you want to allow a user access to only one dashboard view. To accomplish this, you could create an app for that view and assign the user role to that app. In this case, you can use the local.meta file to let the role view that app.

Add and remove access using the local.meta file

You can give or restrict access by editing the local.meta file to add the new role wherever you want it. This action is not possible on Splunk Cloud instances, it is available only on Splunk Enterprise.

  1. Locate the local.meta file. Its location depends on several factors.
    • If you want to edit access for the main search page, for example, the manager controls, look in $SPLUNK_HOME/etc/system/metadata/.
    • If you want to edit access to a particular app, look in $SPLUNK_HOME/etc/apps/<app_name>/metadata/.
    • If the directory for the desired location does not contain the file, you can copy the default version default.meta and rename the copied file to local.meta.

      Do not edit the default.meta file directly as you might need the default values in that file at a future time.

  2. Open the local.meta file for editing.
  3. In the local.meta file, add the name of the new role to the stanza that corresponds with the access you want. See the table at the end of this procedure for details.
  4. Save the file and close it.
  5. Restart Splunk Enterprise.
Default stanza What it does

access = read : [ * ], write : [ admin, power ]

Allow all users to read this app's contents, or access functions in the Splunk Manager page, depending on the directory you are in. Unless overridden by other metadata, allows only admin and power users to share objects into this app.

[views] [manager/accesscontrols] access = read : [ * ], write : [ admin ]

Determines the access controls for the Manager page access.


Example 1: You set up a new role called "usermanager" that only inherits capabilities from the user role and does not inherit any searches or indexes. You want this role to be able to create and manage user accounts, but have no data access.

To configure this access, edit the following stanza of the local.meta file:

access = read : [ admin ], write : [ admin ]

To include the following:

access = read : [ admin, usermanager ], write : [ admin, usermanager ]

This gives the "usermanager" role the ability to see and edit things in the "Access controls" pages in Splunk Enterprise Manager.

Example 2: You set up a new role called "userview," that you want to access, but not edit, pages in Manager. In this case, only add the role to the "read" value:

access = read : [ admin, userview, usermanager ], write : [ admin, usermanager ]

You can also grant access to read the manager pages to any using the asterisk *, which acts as a wildcard:

access = read : [ * ], write : [ admin ]

Example 3: You want a subset of users who can only read sales data that you specify. To accomplish this, you can create an app for the dashboard and then create a new role "salesusers."

In the local.meta file in your app directory, edit the following stanza:

access = read : [ * ], write : [ * ]

to read:

access = read : [ salesusers ], write : [ admin ]
Last modified on 14 December, 2021
Configure users with the CLI
Delete all user accounts on Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters