User Roles & Capabilities In Splunk
In splunk after creating users they are assigned to different roles. A role contains different types of capabilities. This capabilities are define as what actions a user can perform in the Splunk Enterprise. In splunk by default there are five types of user roles available. Those are listed below.
- admin :
This role is designed for Splunk administrators who are responsible for managing the users, objects, and configurations. This role by default has the most number of capabilities assigned to it.
- can_delete :
This role allows the user to delete by command. This role is used when a user want to use delete search operator.
- power :
This role has the capabilities to edit all shared objects (reports, macros etc) alerts, tag events, and other similar tasks, the number of capabilities is greater than the role user but less than the role admin.
- splunk-system-role :
The splunk-system-role is a special role that all “system” jobs run as, example – summary refreshes, report accelerations,data model acceleration etc.
- user :
This role is limited to create and edit its own objects, run searches, create and edit event types, and other similar tasks.
Capabilities for splunk users :
Below list of capabilities that we can add to any role.
- accelerate_datamodel :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
Admin can enable or disable acceleration for data models.
- accelerate_search :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can enable or disable acceleration for reports and also have schedule_search capability
- admin_all_objects
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can access and modify any object in the system.
- change_authentication :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change authentication settings and reload authentication.
- change_own_password
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
Can change their own password.
- delete_by_keyword :
Access :
Admin
|
User |
Power |
No |
No |
No
|
- delete_messages :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can delete system messages that appear in the UI navigation bar.
- dispatch_rest_to_indexers :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can access the REST search command to indexers.
- edit_bookmarks_mc :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can add bookmark URLs within the Monitoring Console.
- edit_deployment_client :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change deployment client settings.
- edit_deployment_server :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- User can change deployment server settings.
- User can change or create remote inputs that are pushed to the forwarders and other deployment clients.
- edit_dist_peer :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User add and edit peers for distributed search.
- edit_encryption_key_provider :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can view and edit key provider properties when they use Server-Side Encryption (SSE) for a remote storage volume.
- edit_forwarders :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change forwarder settings, including settings for SSL, backoff schemes, etc. Also used by TCP and Syslog output admin handlers.
- edit_health :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can enable/disable health reporting, set health status alerts, and set indicator thresholds for a feature in the splunkd health status tree through the server/health-config/endpoint.
- edit_httpauths :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User edit and end user sessions through the httpauth-tokens endpoint.
- edit_indexer_cluster :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit indexer clusters.
- edit_indexerdiscovery :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit settings for indexer discovery, including settings for master_uri, pass4SymmKey, and so on.
- edit_input_defaults :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can use the server settings endpoint to change default hostnames for input data.
- edit_local_apps :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit actions for application management. Applies only when you set the enable_install_apps setting to “true” in authorize.conf.
- edit_metric_schema :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can set up log-to-metrics transformations, which can convert single log events into multiple metric data points.
- edit_metrics_rollup :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can create and edit metrics rollup policies, which set rules for the aggregation and summarization of metrics on a specific metric index.
- edit_monitor :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can add inputs and edit settings for monitoring files.
- edit_roles :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit roles and change user/role mappings. Used by both the user and role endpoint.
- edit_roles_grantable :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User edit roles and change user/role mappings for a limited set of roles.
- edit_scripted :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can create and edit scripted input.
- edit_search_concurrency_all :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit settings related to maximum concurrency of searches.
- edit_search_concurrency_scheduled :
Access :
Admin
|
User |
Power |
No |
No |
No
|
No access for user to edit settings related to concurrency of scheduled searches.
- edit_search_head_clustering :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit search head clustering settings.
- edit_search_schedule_priority :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can assign a search a higher-than-normal schedule priority.
- edit_search_schedule_window :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can assign schedule windows to scheduled reports. Requires the schedule_search capability.
- edit_search_scheduler:
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can enable or disable a search seceduler.
- edit_search_server :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit general distributed search settings like timeouts, heartbeats, and blacklists.
- edit_server :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit general server settings like server name, log levels, etc.
- edit_server_crl :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit general server settings like server name, log levels, etc. Inherits the ability to read general server and introspection settings.
- edit_sourcetypes :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit sourcetypes. See the Knowledge Manager manual for more information about sourcetypes.
- edit_splunktcp :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change settings for receiving TCP inputs from another Splunk instance.
- edit_splunktcp_ssl :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can view or edit any SSL-specific settings for Splunk TCP input.
- edit_splunktcp_token :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit the Splunktcp token.
- edit_tcp :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change settings for receiving general TCP inputs.
- edit_tcp_token :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change TCP tokens. This is an admin capability.
- edit_telemetry_settings :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- edit_token_http :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can create, edit, display, and remove settings for HTTP token input.
- edit_tokens_all :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- edit_tokens_own :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- edit_tokens_settings :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can manage token settings.
- edit_udp :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change settings for UDP inputs.
- edit_user :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can create, edit, or remove users.
- edit_view_html :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can create, edit, or modify HTML-based views.
- edit_web_settings :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change settings for web.conf through the system settings endpoint.
- edit_workload_pools :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can create and edit workload pools through the workloads endpoint.
- edit_workload_rules :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can create and edit workload rules through the workloads/rules endpoint.
- embed_report :
Access :
Admin
|
User |
Power |
Yes |
No |
Yes
|
User can embed reports and disable embedding for embedded reports.
- export_results_is_visible :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can display or hide the Export Results button in Splunk Web.
- extra_x509_validation :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can add additional x509 validation.
- get_diag :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- get_metadata :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can use the “metadata” search processor.
- get_typeahead :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
- indexes_edit :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can change any index settings such as file size and memory limits.
- input_file :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can add a file as an input through inputcsv and inputlookup.
- install_apps :
Accesss :
Admin
|
User |
Power |
Yes |
No |
No
|
User can install, uninstall, create, and make updates to apps.
Note : This applicable when you configure the enable_install_apps setting to “true” in authorize.conf.
- license_edit :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can edit the license.
- license_tab :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- license_view_warnings :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can see the warning that related with the license.
- list_accelerate_search :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can view accelerated report.
Note : User can not accelerate report.
- list_deployment_client :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can view deployment client settings.
- list_deployment_server :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can view deployment server setup.
- list_forwarders :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can view the list and view settings for data forwarding.
- list_health :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can monitor the health of splunk enterprise through rest endpoint.
- list_httpauths :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_indexer_cluster :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can view the list of indexer clusters as well as indexer cluster objects such as buckets, peers, etc.
- list_indexerdiscovery :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User view settings for indexer discovery.
- list_inputs :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can view lists of various inputs, including input from files, TCP, UDP, scripts etc.
- list_introspection :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_metrics_catalog :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
- list_search_head_clustering :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_search_scheduler :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_settings :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_storage_passwords :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_tokens_all :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_tokens_own :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can view their own tokens.
- list_workload_pools :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- list_workload_rules :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- metric_alerts :
Access :
Admin
|
User |
Power |
Yes |
No |
Yes
|
User can create, update, enable, disable, and delete a streaming metric alert.
- never_expire :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- never_lockout :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- output_file :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can create file outputs, including outputcsv and outputlookup.
- pattern_detect :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
- request_remote_tok :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can access a remote authentication token.
- rest_apps_management :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- rest_apps_view :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
- rest_properties_get :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can get information from the services/properties endpoint.
- rest_properties_set :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can edit the services endpoint.
- restart_splunkd :
Access :
Admin
|
User |
Power |
Yes
|
No |
No
|
User can restart Splunk Enterprise through the server control handler.
- rtsearch :
Access :
Admin
|
User |
Power |
Yes |
No |
Yes
|
User can run real-time searches.
- run_collect :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can run collect command.
- run_mcollect :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can perform mcollect and meventcollect command.
- run_msearch :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can run msearch command.
- run_multi_phased_searches :
Access :
Admin
|
User |
Power |
No |
No |
No
|
This capability is not assigned to any role by default.
- schedule_rtsearch :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can schedule real-time saved searches.
- schedule_search :
Access :
Admin
|
User |
Power |
Yes |
No |
Yes
|
User can schedule saved searches, create and update alerts, and review triggered alert information.
- search :
Access :
Admin
|
User |
Power |
Yes |
Yes |
Yes
|
User can run a search.
- search_process_config_refresh :
Access :
Admin
|
User |
Power |
Yes |
No |
Yes
|
- select_workload_pools :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can assign a scheduled search or ad-hoc search to a workload pool.
- srchFilter :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can manage search filter.
- srchIndexesAllowed :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can run search index.
- srchIndexesDefault :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can set default search index.
- srchJobsQuota :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- srchMaxTime :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
User can set maximum time for a search.
- use_file_operator :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
- web_debug :
Access :
Admin
|
User |
Power |
Yes |
No |
No
|
Hope you have understood the concept of User Roles & Capabilities In Splunk.
Happy Splunking!!
[…] About Splunk Users and Roles User Roles & Capabilities In Splunk […]