Spread our blog

About Splunk Users and Roles

Splunk Enterprise like any other software allows you to create users with passwords and assign them to roles, but the point to ponder upon is, How Splunk associates its users with the roles?

In Splunk, roles determine the access and permissions of any user assigned to that role. 


Predefined roles in Splunk Enterprise:

  • admin:  The role is designed for Splunk administrators who are responsible for managing the users, objects, and configurations. This role by default has the most number of capabilities assigned to it.
  • power:  This role has the privilege to edit all shared objects (reports, macros etc)  alerts, tag events, and other similar tasks, the number of capabilities is greater than the role user but less than the role admin.
  • user:  This role is limited to create and edit its own objects, set its own preferences, run searches, create and edit event types, and other similar tasks.
  • can_delete: Users assigned this role can delete by keyword. The capability related to this role is necessary when using the delete search operator and by default, no role has this capability.

NOTE: The splunk-system-role is a  special role that all “system” jobs run as, example – summary refreshes, report accelerations etc.

Splunk also allows to create custom roles and assign the users you create to those roles. When you create a custom role, you regulate :

  • The searches that a user assigned to the role is allowed to perform.
  • The role inheritance, certain properties of one or more existing roles. 
  •  The access to specific indexes and set the event and metrics indexes that will be searched by default.
  • The allowed actions (changing their password, accelerate search, etc) of the user assigned to the role. 

Search filter restrictions inheritance by users

You can create roles that inherit the characteristics of other roles. Users assigned to the multiple roles inherit properties from all the assigned roles to have maximum possible capabilities.

In the case of search filters, if a user has multiple roles with different search filters, the filters are all combined resulting in the restrictions of each role to be applied. For Instance, by default, the Power and User roles do not have any search filters defined to restrict user searches. If a user has a combination of these roles and another role with filters defined (example, srchFilter=y ), the user will inherit the restrictions of that role.

Inheritance of allowed indexes by users

In this case, the user is given the highest level of access granted to any role to which they have been assigned. For instance, if a user is assigned to the role “normal_user” which limits access to one particular index, and also to a role “privileged_user” which has more capabilities and allows access to all indexes, the user will have access to all indexes. 

Inheritance of capabilities by users

In this case, the user is allowed to have the highest level of capabilities granted to any role to which they have been assigned. For instance, if a user is assigned to the role “privileged_user” which has the most capabilities, and also to a role “special_user” which a different set of capabilities, the user will have the capabilities of both roles.

NOTE: Users with multiple roles inherit properties from the role with the largest set permissions.

Thanks for Reading…

Happy Splunking!!

What’s your Reaction?

Spread our blog



Please enter your comment!
Please enter your name here