Define roles on the Splunk platform with capabilities
There are two versions of this topic: one for Splunk Cloud Platform and the other for Splunk Enterprise. This is the Splunk Cloud Platform version of the topic. To change to the Splunk Enterprise version, select "Splunk Enterprise" from the "Product" drop-down list box in this topic.
When you perform user management on the Splunk platform, you can assign one or more roles to the user as part of that process. Each role contains a set of capabilities. These capabilities define what users who hold a certain role can do on the Splunk platform.
Users can only access the Splunk platform and use capabilities through roles that you assign to them. For example, if a user receives the edit_tokens_settings capability through a role, that user can modify the Token Authentication scheme on the Splunk platform instance. If they receive the admin_all_objects capability through another role, they can modify nearly any object on the instance.
Capabilities are always additive in nature. You cannot take away the ability to do something by adding a capability. If you don't want users who hold a role to perform a certain function on your Splunk platform instance, then do not assign that role a capability that lets a user perform that function.
Similarly, users who hold multiple roles can access any capabilities that are assigned to those roles. If you do not want a certain user to have access to all the capabilities that a role provides, do not assign that role to that user.
In nearly all cases, capabilities whose names begin with edit_
give users the ability to perform create, read, update, and delete operations for the feature with which they associate. For example, the edit_udp
capability grants you the ability to create, read, update, and delete UDP network inputs - even if you do not have access to edit other types of inputs. Exercise caution when assigning edit_
capabilities.
Add, edit, and remove capabilities from roles
You can add, edit, or remove capabilities from new, existing, and default roles. These actions change the kind of access that the role provides. For example, you might give a role the capability to add inputs or edit saved searches.
To add or change the capabilities of a role, choose one of the following methods:
- To add or change the capabilities of a role in Splunk Web, see Create and manage roles with Splunk Web.
- To create roles and assign capabilities by editing the authorize.conf configuration file in Splunk Enterprise, see Add and edit roles with authorize.conf.
- To learn more about roles and how they work, see About configuring role-based user access.
Splunk is in the process of retiring the use of the "admin" user and role for external customers. The "admin" account and role are holdovers from the early days of the Splunk Cloud Platform service, and as Splunk continues to evolve its capabilities in Splunk Cloud Platform, the account and role are no longer relevant for these customers.
Splunk platform capabilities
This table shows the capabilities that you can add to any role, and whether or not the capabilities are assigned by default to the user, power, admin or sc_admin roles.
For the most up-to-date list of capabilities that are assigned to a role, see the Imported Capabilities text box on the Create a role page in Splunk Web.
Because capabilities change frequently from release to release, not every capability that is available to the Splunk platform appears in this list. Apps and add-ons can add their own capabilities which also do not appear here. See the documentation for the app or add-on that you use to potentially get information on app- and add-on-specific capabilities.
Capability name | What it lets you do | User | Power | Admin | Sc_admin |
---|---|---|---|---|---|
accelerate_datamodel | Enable or disable acceleration for data models. Set acceleration to true to enable automatic acceleration of this data model. Additional space is required depending on the number of events, fields, and distinct field values in the data. See the Knowledge Manager Manual for more information. | X | X | ||
accelerate_search | Lets the user enable or disable acceleration for reports. The user must also have the schedule_search capability assigned. Works for searches that use transforming commands. See the Knowledge Manager Manual for more information. | X | X | X | X |
acs_* | Capabilities required to run operations against Admin Config Service (ACS) API endpoints. See Manage ACS API access with capabilities in the Admin Config Service Manual. | X | X | ||
admin_all_objects | Lets the user access and modify any object in the system regardless of any restrictions set in the objects. For example user objects, search jobs, reports, and knowledge objects. Lets the user bypass any ACL restrictions, much the way root access in a *nix environment does. | X | X | ||
change_authentication | Lets the user change authentication settings and reload authentication. See the Securing Splunk Enterprise Manual for more about authentication. | X | X | ||
change_own_password | Lets the user change their own password. | X | X | X | X |
delete_by_keyword | Lets the user use the "delete" operator. The "delete" command marks all of the events returned by the search as deleted. This masks the data from showing up in search results but does not actually delete the raw data on disk. See the Search Manual for more information. | ||||
delete_messages | Lets a user delete system messages that appear in the UI navigation bar. | X | X | X | |
dispatch_rest_to_indexers | Lets a user dispatch the REST search command to indexers. | X | |||
edit_bookmarks_mc | Lets a user add bookmark URLs within the Monitoring Console. The URLs redirect administrators to Monitoring Console instances in other Splunk deployments. | X | |||
edit_deployment_client | Lets the user change deployment client settings. See the Managing Indexers and Clusters of Indexers Manual for more about the deployment client. | X | |||
edit_deployment_server | Lets the user change deployment server settings. User can change or create remote inputs that are pushed to the forwarders and other deployment clients. See the Managing Indexers and Clusters of Indexers manual for more about the deployment server. | X | |||
edit_dist_peer | Lets the user add and edit peers for distributed search. See the Managing Indexers and Clusters of Indexers Manual for more information. | X | |||
edit_edge_processor | Users with this capability can create, update, delete, and view all resources in the Edge Processor service. Resources include source types, pipelines, Edge Processors, and destinations. | X | |||
edit_encryption_key_provider | Lets the user view and edit key provider properties when they use Server-Side Encryption (SSE) for a remote storage volume. | X | |||
edit_field_filter | Lets a user create, edit, or delete field filters by using Splunk Web or the Splunk platform REST API authorization/fieldfilters and authorization/fieldfilters/{name} endpoints to update field filters. See Protect PII, PHI, and other sensitive data with field filters. | X | X | ||
edit_forwarders | Lets the user change forwarder settings, including settings for SSL, backoff schemes, etc. Also used by TCP and Syslog output admin handlers. | X | |||
edit_global_banner | Lets administrators display a persistent banner message to all users.
|
X | X | ||
edit_health | Lets a user enable/disable health reporting, set health status alerts, and set indicator thresholds for a feature in the splunkd health status tree through the server/health-config/ endpoint.
|
X | |||
edit_health_subset | Lets a user disable or enable health reporting for a feature in the "health_subset" view of the health status tree. Actions are performed through the server/health-config/{feature_name} endpoint. | X | |||
edit_httpauths | Lets the user edit and end user sessions through the httpauth-tokens endpoint. | X | |||
edit_indexer_cluster | Lets the user edit indexer clusters. See the Managing Indexers and Clusters of Indexers Manual for more about indexers. | X | |||
edit_indexerdiscovery | Lets the user edit settings for indexer discovery, including settings for master_uri , pass4SymmKey , and so on. Used by Indexer Discovery admin handlers.
|
X | |||
edit_ingest_processor | Users with this capability can create, update, delete, and view all resources in the Ingest Processor solution. Resources include pipelines, and destinations. | X | |||
edit_input_defaults | Lets the user use the server settings endpoint to change default hostnames for input data. | X | X | ||
edit_ip_allow_list | Lets the user edit ip allow lists for their deployment. See configure IP allow lists using Splunk Web. | X | X | ||
edit_local_apps | Lets the user edit actions for application management. Applies only when you set the enable_install_apps setting to "true" in authorize.conf .
|
X | |||
edit_log_alert_event | Lets a user log an event when an alert condition is met. Also lets the user select the "Log an event" option for an alert action in Splunk Web. | X | X | X | |
edit_limits_conf | Lets a user view and edit limits.conf settings using the Configure limits UI in Splunk Web. | X | X | ||
edit_metric_schema | Lets the user set up log-to-metrics transformations, which can convert single log events into multiple metric data points. | X | |||
edit_metrics_rollup | Lets the user create and edit metrics rollup policies, which set rules for the aggregation and summarization of metrics on a specific metric index. | X | |||
edit_monitor | Lets the user add inputs and edit settings for monitoring files. Also used by the standard inputs endpoint and the one-shot input endpoint. The The sc_admin role does not receive the edit_monitor capability because Splunk Cloud Platform cannot directly monitor files and directories. |
X | |||
edit_modinput_journald | Lets the user add and edit journald inputs. This input is not available on Windows. | X | |||
edit_own_objects | X | X | X | X | |
edit_roles | Lets the user edit roles and change user/role mappings. Used by both the user and role endpoint. | X | |||
edit_roles_grantable | Lets the user edit roles and change user/role mappings for a limited set of roles. Can assign any role to other users. To limit this ability, configure grantableRoles in authorize.conf. For example: grantableRoles = role1;role2;role3
|
X | X | ||
edit_scripted | Lets the user create and edit scripted inputs. | X | |||
edit_search_concurrency_all | Lets a user edit settings related to maximum concurrency of searches. | X | |||
edit_search_concurrency_scheduled | Lets a user edit settings related to concurrency of scheduled searches. | ||||
edit_search_head_clustering | Lets the user edit search head clustering settings. | X | X | ||
edit_search_schedule_priority | Lets the user assign a search a higher-than-normal schedule priority. For information about the search scheduler, see the Knowledge Manager Manual. | X | X | ||
edit_search_schedule_window | Lets the user assign schedule windows to scheduled reports. Requires the schedule_search capability. For more about the search scheduler, see the Knowledge Manager Manual. | X | X | X | X |
edit_search_scheduler | Lets the user enable and disable the search scheduler. See the Knowledge Manager Manual. | X | X | ||
edit_search_server | Lets the user edit general distributed search settings like timeouts, heartbeats, and deny lists. | X | |||
edit_server | Lets the user edit general server settings like server name, log levels, etc. | X | |||
edit_server_crl | Lets the user edit general server settings like server name, log levels, etc. Inherits the ability to read general server and introspection settings. | X | |||
edit_sourcetypes | Lets the user edit sourcetypes. See the Knowledge Manager manual for more information about sourcetypes. | X | X | X | |
edit_splunktcp | Lets the user change settings for receiving TCP inputs from another Splunk instance. | X | |||
edit_splunktcp_ssl | Lets the user view or edit any SSL-specific settings for Splunk TCP input. | X | |||
edit_splunktcp_token | Lets the user edit the Splunktcp token. | X | |||
edit_storage_passwords | Lets the user make HTTP POST and DELETE calls to the /storage/passwords endpoint, which stores or deletes secrets. Users must hold the 'list_storage_passwords' role to retrieve secrets. | X | X | ||
edit_tcp | Lets the user change settings for receiving general TCP inputs. | X | |||
edit_tcp_token | Lets the user change TCP tokens. This is an admin capability and should only be assigned to system administrators. | X | |||
edit_telemetry_settings | Opt in or out of product instrumentation. See Share data in Splunk Enterprise in the Admin Manual. | X | |||
edit_token_http | Lets the user create, edit, display, and remove settings for HTTP token input. Also enables the HTTP Event Collector feature. | X | |||
edit_tokens_all | Lets the user issue tokens to all users. | X | |||
edit_tokens_own | Lets the user issue tokens to themself. | X | |||
edit_tokens_settings | Lets the user manage token settings. | X | |||
edit_udp | Lets the user change settings for UDP inputs. | X | |||
edit_user | Lets the user create, edit, or remove users. A role with the edit_user capability can assign any role to other users. To limit this ability, configure grantableRoles in authorize.conf. For example: grantableRoles = role1;role2;role3 . Also lets a user manage certificates for distributed search. |
X | X | ||
edit_view_html | Lets the user create, edit, or modify HTML-based views. | X | |||
edit_web_settings | Lets the user change settings for web.conf through the system settings endpoint. | X | |||
edit_webhook_allow_list | Lets the user edit the webhook allow list, which determines the URL endpoints to which a webhook alert action is authorized to send HTTP POST requests. See Configure webhook allow list in Splunk Web. | X | X | ||
edit_workload_pools | Lets the user create and edit workload pools through the workloads/pools endpoint. | X | |||
edit_workload_rules | Lets the user create and edit workload rules through the workloads/rules endpoint. | X | |||
embed_report | Lets the user embed reports and disable embedding for embedded reports. | X | X | ||
export_results_is_visible | Lets the user display or hide the Export Results button in Splunk Web. The default value is to display the button. | X | X | X | X |
fsh_manage | Lets the user view, create, and edit federated provider and federated index definitions through Splunk Web. Federated providers and federated indexes are required for federated search. | X | X | ||
fsh_search | Lets the user run federated searches. | X | X | ||
get_diag | Lets the user get a remote diag from a Splunk instance using the /streams/diag endpoint. | X | |||
get_metadata | Lets the user use the "metadata" search processor. | X | X | X | X |
get_typeahead | Lets the user use typeahead in the endpoint and the typeahead search field. | X | X | X | X |
indexes_edit | Lets the user change index settings. | X | X | ||
input_file | Lets the user add a file as an input through inputcsv (except for dispatch=t mode) and inputlookup. | X | X | X | X |
install_apps | Lets the user install, uninstall, create, and make updates to apps. Applies only when you configure the enable_install_apps setting to "true" in authorize.conf .
|
X | |||
license_edit | Lets the user edit the license. | X | |||
license_read | Lets the user access license attributes and related information. | ||||
license_tab | Lets the user access and change the license. This attribute is deprecated. | X | |||
license_view_warnings | Lets the user see a warning message when they are exceeding data limits or reaching the expiration date of their license. These warnings appear on the system banner. | X | |||
list_accelerate_search | Lets the user view accelerated reports. User cannot accelerate reports. | X | |||
list_all_apps | Lets a user list all configuration settings for the configuration endpoints. This capability prevents unauthorized access to configuration endpoints. | X | X | X | X |
list_all_roles | Lets a user list all roles and the capabilities that are assigned to those roles. For full access to listing users, roles, and capabilities, the user must also have or assign the 'list_all_users' capability.
If you log into your Splunk Cloud Platform instance as the sc_admin or ps_admin user, you might see additional users that are associated with these capabilities when you view them in the Users settings page in Splunk Web. |
X | |||
list_all_users | Lets a user list all users by accessing the /services/authentication/users REST endpoint. For full access to listing users, roles, and capabilities, the user must also have or assign the 'list_all_roles' capability.
If you log into your Splunk Cloud Platform instance as the sc_admin or ps_admin user, you might see additional users that are associated with these capabilities when you view them in the Users settings page in Splunk Web. |
X | |||
list_deployment_client | Lets the user view deployment client settings. | X | |||
list_deployment_server | View deployment server settings. | X | |||
list_field_filter | Lets a user view field filters by using Splunk Web or the Splunk platform REST API authorization/fieldfilters and authorization/fieldfilters/{name} endpoints. See Protect PII, PHI, and other sensitive data with field filters. | X | X | X | |
list_forwarders | Lets a user list and view settings for data forwarding. Can be used by TCP and Syslog output admin handlers. | X | |||
list_health_subset | Lets a user monitor the health of Splunk Enterprise features (such as search scheduler) through REST endpoints. | X
| |||
list_httpauths | Lets the user view user sessions through the httpauth-tokens endpoint. | X | X | ||
list_indexer_cluster | Lets the user view the list of indexer clusters as well as indexer cluster objects such as buckets, peers, etc. | X | |||
list_indexerdiscovery | Lets the user view settings for indexer discovery. Also used by indexer discovery handlers. | X | |||
list_inputs | Lets the user view lists of various inputs, including input from files, TCP, UDP, scripts, etc. | X | X | X | X |
list_introspection | Lets the user read introspection settings and statistics for indexers, search, processors, queues, etc. | X | X | ||
list_metrics_catalog | Lets the user query for lists of metrics catalog information such as metric names, dimensions, and dimension values. | X | X | X | |
list_search_head_clustering | Lets the user list and view search head clustering objects like artifacts, delegated jobs, members, captain, etc. | X | X | ||
list_search_scheduler | Lets the user view lists of search scheduler jobs. | X | X | ||
list_settings | Lets the user list and view server and introspection settings such as the server name, log levels, etc. You must have the list_settings capability to send emails from alerts. | X | X | ||
list_storage_passwords | Lets the user list and view the /storage/passwords endpoint, lets the user perform GETs. The admin_all_objects capability must be added to the role for the user to perform POSTs to the /storage/passwords endpoint. | X | X | ||
list_tokens_all | Lets the user view all tokens. | X | |||
list_tokens_own | Lets the user view their own tokens. | X | X | X | |
list_tokens_scs | Lets a user retrieve a Splunk Cloud Platform Services (SCS) token for an SCS service with which this Splunk Cloud deployment has been configured to communicate. Customers do not use or assign this capability, rather, it might appear in various configuration panes in Splunk Web. |
X | X | ||
list_workload_pools | Lets a user list and view workload pool and workload status information from the workloads/rules endpoint. | X | |||
list_workload_rules | Lets a user list and view workload rule information from the workloads/rules endpoint. | X | |||
metric_alerts | Lets a user create, update, enable, disable, and delete a streaming metric alert. | X | X | ||
never_expire | Lets a user account never expire. | X | |||
never_lockout | Lets a user account never lock the user out. | X | |||
output_file | Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup. | X | X | X | X |
pattern_detect | Lets the user see and use the Patterns tab in the Search view. | X | X | X | X |
request_remote_tok | Lets the user obtain a remote authentication token, which lets the user perform some distributed peer management and bundle replication and distribute searches to old 4.0.x Splunk instances. | X | X | X | X |
rest_access_server_endpoints | Lets a user access any /services/server/* endpoints using the rest command. For example, a role with the rest_access_server_endpoints capability can run the following searches:
|
X | X | X | X |
rest_apps_management | Lets the user edit settings for entries and categories in the python remote apps handler. See restmap.conf for more information. | X | X | ||
rest_apps_view | Lets the user list and view various properties in the Python remote apps handler. See restmap.conf for more information.
|
X | X | X | X |
rest_properties_get | Lets the user get information from the services/properties endpoint. | X | X | X | X |
rest_properties_set | Lets the user edit the services/properties endpoint. | X | X | X | X |
restart_splunkd | Lets the user restart Splunk Enterprise through the server control handler. | X | X | ||
rtsearch | Lets the user run real-time searches. | X | X | X | |
run_collect | Lets the user run the collect command.
|
X | X | X | |
run_commands_ignoring_field_filter | When field filters are in use, this capability lets users run searches across any indexes in the organization using certain restricted commands that return protected data. This capability is required for roles to run the following commands that are restricted by default: tstats, mstats, mpreview, walklex, and typeahead. These commands can return sensitive index information to which roles that are restricted by field filters should not have access. See Protect PII, PHI, and other sensitive data with field filters. | X | X | X | |
run_custom_commands | Lets the user run custom search commands. For more information on custom search commands and how to create them, see Create custom search commands for apps in Splunk Cloud Platform or Splunk Enterprise in the Splunk Developer Portal. | X | X | X | |
run_dump | Lets the user run the dump search command.
|
X | X | X | |
run_mcollect | Lets the user run the mcollect and meventcollect commands.
|
X | X | X | |
run_msearch | Lets the user run the msearch command.
|
X | |||
run_walklex | Lets the user run searches that include the walklex command, even if they have a role that has search filters applied to it. By its nature, the walklex command bypasses role-based search filters. Avoid giving this capability to roles that must have their search functionality restricted. This capability is not assigned to any role by default.
|
||||
run_sendalert | Lets the user run the sendalert search command.
|
X | X | X | |
schedule_rtsearch | Lets the user schedule real-time saved searches. The schedule_search and rtsearch capabilities must also be assigned to the role. | X | X | X | X |
schedule_search | Lets the user schedule saved searches, create and update alerts, review triggered alert information, and use the sendemail command.
|
X | X | X | |
search | Lets the user run a search. See the Search Manual for more information. | X | X | X | X |
search_process_config_refresh | Lets the user use the "refresh search-process-config" CLI command to manually flush idle search processes. | X | X | X | |
select_workload_pools | Lets a user assign a scheduled search or ad-hoc search to a workload pool. | X | |||
srchFilter | Lets the user manage search filters. See the Search Manual for more information. | X | |||
srchIndexesAllowed | Lets the user run search indexes. See the Search Manual for more information. | X | |||
srchIndexesDefault | Lets the user set default search indexes. | X | |||
srchJobsQuota | Lets the user set search job quotas. | X | |||
srchMaxTime | Lets the user set the maximum time for a search. | X | |||
upload_lookup_files | Lets the user upload files that can be used in conjunction with lookup definitions. Only affects lookup types that involve the upload of a file, such as CSV and geospatial lookups. | X | X | X | |
upload_mmdb_files | Lets the user upload .mmdb files that are used by the iplocation command to extract location information from IP addresses.
|
X | X | ||
use_file_operator | Lets the user use the "file" search operator. The "file" search operator is deprecated. | X | |||
web_debug | Lets the user debug Web files. | X |
Avoid unintentional execution of fields within CSV files in third party applications |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!