12 Splunk User and Role Administration Examples for both CLI and Web

Splunk supports three types of authentication: Native Authentication, LDAP and Scripted Authentication API.

For most part, Native Authentication is referred as Splunk authentication, which takes high priority over any external authentication.

So, if an user exists in both Splunk native authentication and LDAP, Splunk will use the user in the native authentication.

Typically, you’ll create an user, and then assign the user to a role. This is called role-based access control system. You can do this either using Splunk CLI or from Splunk Web.

Few things to keep in mind about username and role created in native authentication:

• Both username and role cannot contain space, colons, or forward slashes
• Username are case-insensitive. So, both “johndoe” and “JohnDoe” are the same user.
• Role name is lowercase only
• You can create a new user and assign to an existing role. Or, you can create a new role and assign to an existing user. So, users are assigned to role
• Role has capabilities. Capabilities defines the actions that are available to roles

This tutorial explains how to create and manage Splunk users and roles.

I. User Management using Splunk CLI

1. Add User using Splunk CLI

Use splunk add user command as shown below to add a new user.

# splunk add user ramesh -role Admin -password rameshpassword -full-name "Ramesh Natarajan"
User added.

In the above:

• splunk – This is the splunk cli command
• add user – This indicates that we are adding a new user. Give the name of the username following this. In this example, the username is ramesh
• -role – This option indicates the role the user will be assigned to. In this example, we are assigning ramesh to Admin role
• -password – Specify the password for this new user
• -full-name – Specify the full name of the user

If the given role doesn’t exist, you’ll get an error as shown below.

# splunk add user jason -role ReadOnly -password jasonpassword -full-name "Jason Bourne"
Error creating user. role="ReadOnly" does not exist

2. List All Users using Splunk CLI

Use splunk list user command as shown below to get a list of all available users in your system.

# splunk list user
username:  admin
full-name: Administrator
role:      admin

username:  ramesh
full-name: Ramesh Natarajan
role:      admin

3. Edit an Existing User using Splunk CLI

Use splunk edit user command as shown below to edit the details of an existing user. In the following command, we are changing the full-name of the given user.

# splunk edit user ramesh -full-name "Ramesh N"
User ramesh edited.

After editing, make sure the changes are reflected using splunk list user.

# splunk list user
username:  admin
full-name: Administrator
role:      admin

username:  ramesh
full-name: Ramesh N
role:      admin

4. Delete User using Splunk CLI

Let us quickly add an user and then delete it.

# splunk add user jason -role Power -password jasonpassword -full-name "Jason Bourne"

Use splunk remove user command as shown below to delete the given user from splunk native authentication.

# splunk remove user jason
User removed.

If the given user doesn’t exist, you’ll get the following non-existent error message.

# splunk remove user jason1
In handler 'users': Could not get info for non-existent user="jason1"

5. Assign a different Role to an User

Use splunk edit user command with -role option as shown below to assign an existing user to a different role.

Initially, when we created ramesh, we assigned Admin role. The following will reassign ramesh to Power role.

# splunk edit user ramesh -role Power
User ramesh edited.

Verify that the role is changed for the user.

# splunk list user
username:  admin
full-name: Administrator
role:      admin

username:  ramesh
full-name: Ramesh Natarajan
role:      power

II. Role Management using Splunk CLI

6. List Current Roles using Splunk CLI

Splunk comes with the following roles:

• admin – Full administrator access
• power – One level down from admin. You can edit shared objects, alerts, tag events, etc.
• user – Assign this for typical splunk user who can run searches, edit own saved searches, etc.
• can_delete – Allows user to delete by keyword.

Use splunk list role command as shown below to display all available roles in your system.

As you see from the following output, it will also display the capabilities that are currently associated with the role.

# splunk list role
role: admin
capabilities: accelerate_datamodel admin_all_objects ...
default app:
grantable_roles:
imported_capabilities: accelerate_search change_own_password ..
imported_roles: power user
searchable_indexes: * _*
default_index: main os

role: can_delete
capabilities: delete_by_keyword dispatch_rest_to_indexers schedule_rtsearch
..

role: power
capabilities: edit_sourcetypes embed_report rtsearch schedule_search search_process_config_refresh
..

role: splunk-system-role
capabilities:
..

role: user
capabilities: accelerate_search change_own_password ..
..

Note: The above output is truncated for better readability

7. Add Role using Splunk CLI (Not Possible)

Using splunk CLI command, you cannot add a new role.

However, you can add a new role using REST API.

Few reference links for you to explore this further:

• REST API Reference Manual
• splunk _internal call tool

8. Delete Role using Splunk CLI

Use splunk remove role command as shown below to remove an existing role.

# splunk remove role splunkreadonly
Role removed.

II. User Management using Splunk Web

9. List All users from Console

To view all the users from the console, login to splunk web -> Click on Settings, which will display the following setting menu.

Under Users and Authentication section at the bottom, click on “Access Controls” link:

This will display the following access control menu, from where you can either add user or role.

Click on Users, which will display all available users in splunk as shown below.

10. Add New User from Console

To add a new user: Settings -> Users and Authentication -> Access Controls -> Users -> New

Click on New from the user list. This will display the following dialog where you can enter information about this new user.

In the above, apart from entering users basic information, you can also select the role that you want to assign to the user.

At the bottom of the screen, after you select the role for the user, you’ll see a textbox where you can enter the password for the user (this is not shown in the above screen)

Once the user is created, it will be displayed in the user list as shown below.

III. Role Management from Splunk Web

11. List All Roles from Console

To view all the users from the console, login to splunk web -> Click on Settings -> Users and Authentication -> Click on “Access Controls” -> Click on “Role”.

This will display all available roles in splunk as shown below.

12. Add New Role from Console

To add a new role: Settings -> Users and Authentication -> Access Controls -> Roles -> New

Enter the role name and other basic information as shown below.

In our example, we are creating a role called splunkreadonly.

For the new role that you are creating, you can also inherit capabilities from existing roles.

Apart from inheriting capabilities from existing roles, you can also explicitly specify capabilities fort the new role as shown below.

Once the role is created, it will be displayed in the role list as shown below: