authorize.conf

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains possible attribute/value pairs for creating roles in authorize.conf.  
# You can configure roles and granular access controls by creating your own authorize.conf.

# There is an authorize.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an authorize.conf in $SPLUNK_HOME/etc/system/local/. For examples, see 
# authorize.conf.example.  You must restart Splunk to enable configurations.
# 
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.

[capability::<capability>]
        * Define a capability in Splunk. 
        * This can also be added dynamically by software registering in the system (see restmap.conf.spec). 
        * Splunk adds most of its capabilities this way so they are enumerated at the end of the file for reference.
        * See below for the default list of capabilities.
        
[role_<roleName>]
<capability_name> = <enabled|disabled>
        * Capability attached to this role. 
        * You can list many of these.

importRoles = <string>
        * Semicolon delimited list of other role capabilities that should be imported.

srchFilter = <string>
        * Semicolon delimited list of search filters for this Role.

srchTimeWin = <string>
        * Maximum time span of a search.
        * In seconds.

# The following is a list of Splunk's capabilities.  NOTE:  This list is subject to change as
# new capabilities are added and old ones are deprecated.  If you encounter problems while 
# configuring authorize.conf, please contact support@splunk.com.

[role_Admin] 
edit_user               = change user information in CLI/UI.
edit_search_server      = gives you the ability to write any xml config file in $SPLUNK_HOME/etc.
delete_user             = delete users in UI/CLI.
user_tab                = access users in Splunk Web.
edit_authen             = edit authentication configurations.
delete_authen           = delete authentication configurations.
sync_auth               = sync your auth system with Splunk's settings. 
edit_server_config      = edit server configurations.
delete_eventtype_tag    = delete eventtype tags.
delete_global_search    = delete a saved search.
config_management       = manage configurations.
access_datastore        = allows access to tagging info and license usage info.
change_authentication   = this allows you to save authentication settings.
bounce_authentication   = reload authentication in the UI/CLI.
target_processor        = save settings to Splunk's internal processors
admin_operator          = run the admin operator while searching.
delete_by_keyword       = access delete search operator.
allow_shutdown          = shutdown Splunk.
write_config_splunkd    = narrows write config to splunkd.xml, for server tab in Splunk Web.
server_settings_tab     = access server settings tab in Splunk Web.
server_control_tab      = access server control tab in Splunk Web.  
server_auth_config_tab  = access server authentication configurations in Splunk Web.
distributed_all_tab     = enables the distributed search tab in Splunk Web.
distributed_receive_tab = enables the distributed search receive tab in Splunk Web.
distributed_forward_tab = enables the distributed search forwarding tab in Splunk Web.
distributed_search_tab  = enables the distributed search tab in Splunk Web.
license_tab             = access license tab.
search_admin_index      = search the admin index or any index prefaced with a _.
edit_alert_action       = change alert actions.
edit_applications               = access the applications section of Splunk Web Admin page.
edit_audit              = change audit settings.
edit_roles              = change user mappings to roles.
edit_deployment_server  = change deployment server settings.
edit_deployment_class_mapping = edit deployment classes.
edit_deployment_client  = change deployment client settings.
edit_event_discoverer   = change event discovery settings.
edit_field_actions      = change field action settings.
edit_index              = change index settings.
edit_input_defaults     = change default input settings. 
edit_batch              = change watch/batch input settings.
edit_fifo               = change FIFO settings.
edit_filter             = configure filter for fschange monitor.
edit_fschange           = change file system monitor settings.
edit_monitor            = change monitor input settings.
edit_scripted           = change scripted input settings.
edit_splunktcp          = set distributed data settings over tcp.
edit_splunktcp_ssl      = set tcp ssl settings.
edit_ssl                = set ssl settings.
edit_tcp                = change tcp input settings.
edit_udp                = change udp input settings.
edit_prefs              = edit prefs.conf.
edit_props              = edit props.conf.
edit_transaction_types  = edit transactiontypes.conf
edit_transform          = edit transforms.conf.
edit_segmenter          = edit segmenters.conf.
edit_server             = change server settings in server.conf. 
edit_source_classifier  = change source classification as sourcetype.
edit_admin_tabs         = controls editing admin tabs stanza in web.conf.
edit_web_settings       = change the web.conf settings. 
edit_forward_server     = change settings on the forwarding side. 
run_script_crawl        = run the crawl script.
run_script_input        = run input script.
run_script_idxprobe     = run idxprobe script
use_file_operator       = use the file operator to search of your file system.
request_auth_token      = get auth token for other users.
edit_user_searches      = edit any saved search.
rest_apps_management    = manage applications via the REST endpoint.
rest_properties_get     = read REST services/properties.
rest_properties_set     = write REST services/properties.
importRoles = Power;User;Everybody
srchFilter = 

[role_Power]
edit_global_save_search   = edit a shared saved search.
schedule_search           = schedule a search.
delete_global_save_search = delete a shared saved search.
create_alert              = schedule an alert for a scheduled search.
start_alert               = run alerts for a scheduled search.
start_global_alert        = run a shared alert for a scheduled search.
stop_alert                = disable an alert.
stop_global_alert         = disable a shared alert.
edit_role_search          = save a search to a specific role.
allow_livetail            = display live tail in the UI.
edit_tags                 = set tags for events.  
run_script_collect        = run collect script.

importRoles = User;Everybody
srchFilter = 

[role_User]
edit_local_search         = change only your own searches.
savesearch_tab            = access saved searches via Splunk Web.
get_metadata              = access metadata for metadata search processor.
get_typeahead             = allow typeahead.
edit_eventtype            = configure eventtypes via eventtype.conf. 

get_user_prefs            = retrieve your own user prefs.
set_user_prefs            = write your own prefs.
get_property_map          = lets you write to a conf file.
access_datamap            = export global data import global data via the CLI.
get_config_by_type        = access configurations.
get_config_file           = access any configuration file.
search                    = run a search.

# Script running capabilities

list_inputs                 = list inputs.  
list_saved_searches         = list saved searches -- see your own and those shared with your role.
run_web_script_fields       = Interactive field extraction script.
run_web_script_surrounding_events = enabled

# These scripts are located in $SPLUNK_HOME/etc/searchscripts/

run_script_createrss        = enabled
run_script_diff             = enabled
run_script_gentimes         = enabled
run_script_head             = enabled
run_script_iplocation       = enabled
run_script_loglady          = enabled
run_script_marklar          = enabled
run_script_overlap          = enabled
run_script_reportcache      = enabled
run_script_runshellscript   = enabled
run_script_sendemail        = enabled
run_script_transpose        = enabled
run_script_uniq             = enabled
run_script_windbag          = enabled
run_script_mocknodegraph    = enabled
run_script_xmlkv            = enabled
run_script_xmlunescape      = enabled

importRoles = Everybody
srchFilter = 

[role_Everybody]
srchFilter =

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0
#
# This is an example authorize.conf.  Use this file to configure roles and capabilities.
#
# To use one or more of these configurations, copy the configuration block into authorize.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.

[role_Ninja]
edit_save_search                        = enabled
schedule_search                 = enabled
edit_eventtype                  = enabled
edit_role_search                = enabled
edit_local_search               = enabled
savesearch_tab                  = enabled
edit_tags                       = enabled
importRoles = User;Everybody
srchFilter = host=foo

# This creates the role Ninja, which inherits capabilities from the default roles User and Everybody.
# Ninja has almost the same capabilities as Power, except cannot create alerts (only saved searches).
# Also, Ninja is limited to searching on host=foo.