Delegated admin

The role hierarchy in splunk allows a user who has the ‘edit_user’  capability to create other splunk users and grant them any role including admin.  But what if you want to delegate user creation to a ‘mini-admin’ who should be able to create only users but not more admins.

Starting 6.2, we have the concept of a delegated admin, who can create users who can only belong to a pre-provided list of roles. This is a way of enforcing the principle that users can only create other users with privileges that are a subset of their own.

Let us see how this can be achieved.

Step 1 – Create a new role with the ‘edit_user’ capability and pass in an additional attribute called ‘grantable_ roles’ at the time of role creation. You can do so using  curl or ‘splunk _internal’.


Here, we have created a new role called ‘delegated_admin’. A user belonging to this role can create users but these users have to belong to the user or power role.


Step 2 – Create a user for that role. Let us call the new user ‘delegated-admin’.



Step 3 – User ‘delegated_admin’ now creates new users.



But he is prevented from creating users outside the set of ‘grantable_roles’. Thus, a delegated admin cannot build a new user with permissions that he himself does not already have.



Rama Gopalan

Posted by


Show All Tags
Show Less Tags