Add users and assign roles

Add users and assign roles

This topic describes how to create new users and change the properties (like password) of existing users.

Add and edit users via Splunk Web

• In Splunk Web, click Manager.
• Click Users.
• Click New or edit an existing user.
• Specify new or changed information for this user.
• Assign this user to an existing role or roles and click Save.

When you create a user, Splunk automatically creates a role for that user as well. You can then edit that role to specify what access that user has to Splunk.

Add and edit users using the CLI

• To add a new administrator user with password changeme2:
  • ./splunk add user admin2 -password changeme2 -role admin -auth admin:changeme
• To change an existing user password to fflanda:
  • ./splunk edit user admin -password fflanda -role admin -auth admin:changeme

Add and edit roles using Splunk Web

• In Splunk Web, click Manager.
• Click Roles.
• Click New or edit an existing role.
• Specify new or changed information for this role. In particular, you can
  • restrict what data this role can search with a search filter (see "Search filter format" below for more information)
  • restrict over how large of a window of time this role can search
  • specify whether this role inherits capabilities from any other roles
  • choose individual capabilities for this role
  • specify an index or indexes that this role will search by default
  • specify whether this role is restricted to a specific index or indexes.
• Click Save.

Note: Members of multiple roles inherit capabilities from the role with the loosest permissions.

Add and edit roles using authorize.conf

Configure roles by editing authorize.conf. Roles are defined by lists of capabilities. You can also use roles to create fine-grained access controls by setting a search filter for each role.

Caution: Do not edit or delete any roles in $SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see About configuration files.

Add the following attribute/value pairs to $SPLUNK_HOME/etc/system/local/authorize.conf.

[role_$ROLE_NAME]
$CAPABILITY1 = enabled
$CAPABILITY2 = enabled
...
importRoles = $OTHER_ROLE
srchFilter = $SEARCH_STRING

• role_$ROLE_NAME:
  • the name you want to give your role, for example security, compliance, ninja.
• $CAPABILITY1:
  • any capability from the list below. You can have any number of capabilities for a role.
• importRoles = <role>:
  • when set, the current role will inherit all the capabilities from <role>.
• srchFilter = <search>:
  • use this field for fine-grained access controls. Searches for this role will be filtered by this expression.
• srchTimeWin = <string>
  • maximum time span (in seconds) of a search executed by this role.
• srchDiskQuota = <int>
  • Maximum amount of disk space (MB) that can be taken by search jobs of a user that belongs to this role
• srchJobsQuota = <int>
  • Maximum number of concurrently running searches a member of this role can have
• srchIndexesDefault = <string>
  • Semicolon delimited list of indexes to search when no index is specified
  • These indexes can be wildcarded, with the exception that '*' does not match internal indexes
  • To match internal indexes, start with '_'. All internal indexes are represented by '_*'
• srchIndexesAllowed = <string>
  • Semicolon delimited list of indexes this role is allowed to search
  • Follows the same wildcarding semantics as srchIndexesDefault

Note: You must restart Splunk after making changes to authorize.conf. Otherwise, your new roles will not appear in the Role list.

Search filter format

The srchFilter/Search filter field can include any of the following search terms:

• source=
• host= and host tags
• index= and index names
• eventtype= and event type tags
• sourcetype=
• search fields
• wildcards
• use OR to use multiple terms, or AND to make searches more restrictive

Note: Members of multiple roles inherit capabilities from the role with the loosest permissions. In the case of search filters, if a user is assigned to roles with different search filters, they are all applied.

The search terms cannot include:

• saved searches
• time operators
• regular expressions
• any fields or modifiers Splunk Web can overwrite

Map a user to a role via Splunk Web

Once you've created a role in authorize.conf, map a user or users to it via Splunk Web.

• Click on the Manager link in the upper right-hand corner.
• Then, click the Users link.
• Edit an existing user or create a new one.
• Choose which role to map to from the Role list.
  • Any custom roles you have created via authorize.conf will be listed here.

Important: If you change (and save) an existing user/group role LDAP mapping from within Splunk Web, all users currently logged in to Splunk Web will be automatically logged out of Splunk Web immediately and must log back in to proceed. This is done to ensure that any users who should no longer have access as a result of the role mapping change are indeed denied access.

Example of creating a role in authorize.conf

This example creates the role Ninja, which inherits capabilities from the default roles User and Everybody. Ninja has almost the same capabilities as Power, except cannot create alerts (only saved searches). Also, Ninja is limited to searching on host=fflanda.

[role_Ninja]
edit_save_search  		= enabled
schedule_search          	= enabled
edit_eventtype      		= enabled
edit_role_search        	= enabled
edit_local_search         	= enabled
savesearch_tab            	= enabled
edit_tags                 	= enabled
importRoles = User;Everybody
srchFilter = host=fflanda

List of available capabilities

This list shows capabilities available for roles. Check authorize.conf for the most up-to-date version of this list. The Admin role has all the capabilities in this list.

[role_Admin] 
edit_user               = change user information in CLI/UI.
edit_search_server      = gives you the ability to write any xml config file in $SPLUNK_HOME/etc.
delete_user             = delete users in UI/CLI.
change_authentication   = this allows you to save authentication settings.
bounce_authentication   = reload authentication in the UI/CLI.
delete_by_keyword       = access delete search operator.
license_tab             = access license tab.
edit_alert_action       = change alert actions.
edit_roles              = change user mappings to roles.
edit_deployment_server  = change deployment server settings.
edit_deployment_client  = change deployment client settings.
indexes_edit            = change index settings.
edit_input_defaults     = change default input settings. 
edit_monitor            = change monitor input settings.
edit_scripted           = change scripted input settings.
edit_splunktcp          = set distributed data settings over tcp.
edit_splunktcp_ssl      = set tcp ssl settings.
edit_tcp                = change tcp input settings.
edit_udp                = change udp input settings.
edit_server             = change server settings in server.conf. 
edit_web_settings       = change the web.conf settings. 
edit_forwarders         = change settings on the forwarding side. 
use_file_operator       = use the file operator to search of your file system.
request_auth_token      = get auth token for other users.
rest_apps_management    = manage applications via the REST endpoint.
rest_properties_get     = read REST services/properties.
rest_properties_set     = write REST services/properties.
admin_all_objects       = ability to administer all objects in the system (user objects, search jobs etc..)
importRoles             = other roles from which this role imports capabilities 
                          (the admin user imports from the Power and User roles).
srchFilter              = restrictions on what Splunk objects this role can see or manipulate 
                          (the admin user has no restrictions).