This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Granular access controls allow you to control access to data based on a search. Users are named, grouped and then given access through roles.
Splunk's default access control allows each Splunk user on a server access to all event data on the server. This can be modified through the use of Splunk's access controls. When users are named in an access control, they are granted access only to the data associated with their access control roles. While all the configured sources, hosts and sourcetypes will be visible on the home page, searches and search results are checked against the allowed access. Data that is not allowed is not returned to the user. Users that are not named in access controls continue to have open access.
Granular access controls are specified in access_controls.conf. Before manually modifying any configuration file, please read about bundle files. Changes will be applied automatically, without restarting Splunk.