User Roles & Capabilities In Splunk

User Roles & Capabilities In Splunk

In splunk after creating users they are assigned to different roles. A role contains different types of capabilities. This capabilities are define as what actions a user can perform in the Splunk Enterprise. In splunk by default there are five types of user roles available. Those are listed below.

  1. admin :

This role is designed for Splunk administrators who are responsible for managing the users, objects, and configurations. This role by default has the most number of capabilities assigned to it.

  1. can_delete :

This role allows the user to delete by command. This role is used when a user want to use delete search operator.

  1. power :

This role has the capabilities to edit all shared objects (reports, macros etc)  alerts, tag events, and other similar tasks, the number of capabilities is greater than the role user but less than the role admin.

  1. splunk-system-role :

The splunk-system-role is a special role that all “system” jobs run as, example – summary refreshes, report accelerations,data model acceleration etc.

  1. user :

This role is limited to create and edit its own objects, run searches, create and edit event types, and other similar tasks.

user and roles 2

Capabilities for splunk users :

Below list of capabilities that we can add to any role.

  1. accelerate_datamodel :

Access :

Admin

 

User

Power

Yes

No

No

 

 

Admin can enable or disable acceleration for data models.

  1. accelerate_search :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

       User can enable or disable acceleration for reports and also have schedule_search capability

 

  1. admin_all_objects

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can access and modify any object in the system.

  1. change_authentication :

Access :

Admin

 

User

Power

Yes

No

No

 

User can  change authentication settings and reload authentication.

  1. change_own_password

Access :

Admin

 

User

Power

Yes

No

No

 

Can change their own password.

  1. delete_by_keyword :

Access :

Admin

 

User

Power

No

No

No

 

 

  1. delete_messages :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can delete system messages that appear in the UI navigation bar.

  1. dispatch_rest_to_indexers :

Access :

Admin

 

User

Power

Yes

No

No

 

User can access the REST search command to indexers.

  1. edit_bookmarks_mc :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can add bookmark URLs within the Monitoring Console.

  1. edit_deployment_client :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can change deployment client settings.

  1. edit_deployment_server :

Access :

Admin

 

User

Power

Yes

No

No

 

 

  1. User can change deployment server settings.
  2. User can change or create remote inputs that are pushed to the forwarders and other deployment clients.
  1. edit_dist_peer :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User add and edit peers for distributed search.

 

  1. edit_encryption_key_provider :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can view and edit key provider properties when they use Server-Side Encryption (SSE) for a remote storage volume.

  1. edit_forwarders :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can change forwarder settings, including settings for SSL, backoff schemes, etc. Also used by TCP and Syslog output admin handlers.

  1. edit_health :

Access  :

Admin

 

User

Power

Yes

No

No

 

 

User can enable/disable health reporting, set health status alerts, and set indicator thresholds for a feature in the splunkd health status tree through the server/health-config/endpoint.

  1. edit_httpauths :

Access :

Admin

 

User

Power

Yes

No

No

 

 

 User edit and end user sessions through the httpauth-tokens endpoint.

  1. edit_indexer_cluster :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can edit indexer clusters.

  1. edit_indexerdiscovery

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can edit settings for indexer discovery, including settings for master_uri, pass4SymmKey, and so on.

  1. edit_input_defaults :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can use the server settings endpoint to change default hostnames for input data.

  1. edit_local_apps :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can edit actions for application management. Applies only when you set the enable_install_apps setting to “true” in authorize.conf.

  1. edit_metric_schema :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can set up log-to-metrics transformations, which can convert single log events into multiple metric data points.

  1. edit_metrics_rollup :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can create and edit metrics rollup policies, which set rules for the aggregation and summarization of metrics on a specific metric index.

  1. edit_monitor :

Access :

Admin

 

User

Power

Yes

No

No

 

User can add inputs and edit settings for monitoring files.

  1. edit_roles :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit roles and change user/role mappings. Used by both the user and role endpoint.

  1. edit_roles_grantable :

Access :

Admin

 

User

Power

Yes

No

No

 

User edit roles and change user/role mappings for a limited set of roles.

  1. edit_scripted :

Access :

Admin

 

User

Power

Yes

No

No

 

 

User can create and edit scripted input.

  1. edit_search_concurrency_all :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit settings related to maximum concurrency of searches.

 

  1. edit_search_concurrency_scheduled :

Access :

Admin

 

User

Power

No

No

No

 

No access for user to edit settings related to concurrency of scheduled searches.

  1. edit_search_head_clustering :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit search head clustering settings.

  1. edit_search_schedule_priority :

Access :

Admin

 

User

Power

Yes

No

No

 

User can assign a search a higher-than-normal schedule priority.

  1. edit_search_schedule_window :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can assign schedule windows to scheduled reports. Requires the schedule_search capability.

  1. edit_search_scheduler:

Access :

Admin

 

User

Power

Yes

No

No

 

User can enable or disable a search seceduler.

 

  1. edit_search_server :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit general distributed search settings like timeouts, heartbeats, and blacklists.

  1. edit_server :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit general server settings like server name, log levels, etc.

  1. edit_server_crl :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit general server settings like server name, log levels, etc. Inherits the ability to read general server and introspection settings.

  1. edit_sourcetypes :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit sourcetypes. See the Knowledge Manager manual for more information about sourcetypes.

  1. edit_splunktcp :

Access :

Admin

 

User

Power

Yes

No

No

 

User can change settings for receiving TCP inputs from another Splunk instance.

 

  1. edit_splunktcp_ssl :

Access :

Admin

 

User

Power

Yes

No

No

 

User can view or edit any SSL-specific settings for Splunk TCP input.

  1. edit_splunktcp_token :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit the Splunktcp token.

  1. edit_tcp :

Access :

Admin

 

User

Power

Yes

No

No

 

User can change settings for receiving general TCP inputs.

  1. edit_tcp_token :

Access :

Admin

 

User

Power

Yes

No

No

 

User can change TCP tokens. This is an admin capability.

  1. edit_telemetry_settings :

Access :

Admin

 

User

Power

Yes

No

No

 

 

You can also know about :  Report Acceleration In Splunk

 

  1. edit_token_http :

Access :

Admin

 

User

Power

Yes

No

No

 

User can create, edit, display, and remove settings for HTTP token input.

  1. edit_tokens_all :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. edit_tokens_own :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. edit_tokens_settings :

Access :

Admin

 

User

Power

Yes

No

No

 

User can manage token settings.

  1. edit_udp :

Access :

Admin

 

User

Power

Yes

No

No

 

User can change settings for UDP inputs.

 

 

  1. edit_user :

Access :

Admin

 

User

Power

Yes

No

No

 

User can create, edit, or remove users.

  1. edit_view_html :

Access :

Admin

 

User

Power

Yes

No

No

 

User can create, edit, or modify HTML-based views.

  1. edit_web_settings :

Access :

Admin

 

User

Power

Yes

No

No

 

User can change settings for web.conf through the system settings endpoint.

  1. edit_workload_pools :

Access :

Admin

 

User

Power

Yes

No

No

 

User can create and edit workload pools through the workloads endpoint.

  1. edit_workload_rules :

Access :

Admin

 

User

Power

Yes

No

No

 

User can create and edit workload rules through the workloads/rules endpoint.

 

  1. embed_report :

Access :

Admin

 

User

Power

Yes

No

Yes

 

User can embed reports and disable embedding for embedded reports.

  1. export_results_is_visible :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can display or hide the Export Results button in Splunk Web.

  1. extra_x509_validation :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can add additional x509 validation.

  1. get_diag :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. get_metadata :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can use the “metadata” search processor.

 

You can also know about :  Splunk Search Head pooling vs clustering

 

  1. get_typeahead :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

  1. indexes_edit :

Access :

Admin

 

User

Power

Yes

No

No

 

User can change any index settings such as file size and memory limits.

  1. input_file :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can add a file as an input through inputcsv and inputlookup.

  1. install_apps :

Accesss :

Admin

 

User

Power

Yes

No

No

 

       User can install, uninstall, create, and make updates to apps.

       Note : This applicable when you configure the enable_install_apps setting to “true” in authorize.conf.

  1. license_edit :

Access :

Admin

 

User

Power

Yes

No

No

 

User can edit the license.

 

  1. license_tab :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. license_view_warnings :

Access :

Admin

 

User

Power

Yes

No

No

 

User can see the warning that related with the license.

  1. list_accelerate_search :

Access :

Admin

 

User

Power

Yes

No

No

 

User can view accelerated report.

Note : User can not accelerate report.

  1. list_deployment_client :

Access :

Admin

 

User

Power

Yes

No

No

 

User can view deployment client settings.

  1. list_deployment_server :

Access :

Admin

 

User

Power

Yes

No

No

 

User can view deployment server setup.

 

  1. list_forwarders :

Access :

Admin

 

User

Power

Yes

No

No

 

User can view the list and view settings for data forwarding.

  1. list_health :

Access :

Admin

 

User

Power

Yes

No

No

 

User can monitor the health of splunk enterprise through rest endpoint.

  1. list_httpauths :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_indexer_cluster :

Access :

Admin

 

User

Power

Yes

No

No

 

User can view the list of indexer clusters as well as indexer cluster objects such as buckets, peers, etc.

  1. list_indexerdiscovery :

Access :

Admin

 

User

Power

Yes

No

No

 

       User view settings for indexer discovery.

 

 

  1. list_inputs :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can view lists of various inputs, including input from files, TCP, UDP, scripts etc.

  1. list_introspection :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_metrics_catalog :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

  1. list_search_head_clustering :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_search_scheduler :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_settings :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_storage_passwords :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_tokens_all :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_tokens_own :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can view their own tokens.

  1. list_workload_pools :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. list_workload_rules :

Access :

Admin

 

User

Power

Yes

No

No

 

 

You can also know about :  Analyze Metrics Data In Splunk ( Part -3 )

 

 

  1. metric_alerts :

Access :

Admin

 

User

Power

Yes

No

Yes

 

User can create, update, enable, disable, and delete a streaming metric alert.

  1. never_expire :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. never_lockout :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. output_file :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can create file outputs, including outputcsv and outputlookup.

  1. pattern_detect :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

 

 

 

  1. request_remote_tok :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can access a remote authentication token.

  1. rest_apps_management :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. rest_apps_view :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

  1. rest_properties_get :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can get information from the services/properties endpoint.

  1. rest_properties_set :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can edit the services endpoint.

 

 

  1. restart_splunkd :

Access :

Admin

 

User

Power

Yes

 

No

No

 

User can restart Splunk Enterprise through the server control handler.

  1. rtsearch :

Access :

Admin

 

User

Power

Yes

No

Yes

 

User can run real-time searches.

  1. run_collect :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can run collect command.

  1. run_mcollect :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can perform mcollect and meventcollect command.

  1. run_msearch :

Access :

Admin

 

User

Power

Yes

No

No

 

User can run msearch command.

 

  1. run_multi_phased_searches :

Access :

Admin

 

User

Power

No

No

No

 

This capability is not assigned to any role by default.

  1. schedule_rtsearch :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

User can schedule real-time saved searches.

  1. schedule_search :

Access :

Admin

 

User

Power

Yes

No

Yes

 

User can schedule saved searches, create and update alerts, and review triggered alert information.

  1. search :

Access :

Admin

 

User

Power

Yes

Yes

Yes

 

      

       User can run a search.

  1. search_process_config_refresh :

Access :

Admin

 

User

Power

Yes

No

Yes

 

 

 

  1. select_workload_pools :

Access :

Admin

 

User

Power

Yes

No

No

 

User can assign a scheduled search or ad-hoc search to a workload pool.

  1. srchFilter :

Access :

Admin

 

User

Power

Yes

No

No

 

User can manage search filter.

  1. srchIndexesAllowed :

Access :

Admin

 

User

Power

Yes

No

No

 

User can run search index.

  1. srchIndexesDefault :

Access :

Admin

 

User

Power

Yes

No

No

 

User can set default search index.

  1. srchJobsQuota :

Access :

Admin

 

User

Power

Yes

No

No

 

 

 

  1. srchMaxTime :

Access :

Admin

 

User

Power

Yes

No

No

 

User can set maximum time for a search.

  1. use_file_operator :

Access :

Admin

 

User

Power

Yes

No

No

 

  1. web_debug :

Access :

Admin

 

User

Power

Yes

No

No

 

Hope you have understood the concept of  User Roles & Capabilities In Splunk.

 

Happy Splunking!!

 

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.