Set permissions for objects in a Splunk app

Every app and object within the app are governed by a set of read/write permissions that specify what users can see (read access) and interact with (write access) in Splunk Enterprise. Permissions can be granted by role for every app and object.

Here are some use cases for setting permissions on an app or on objects in your app:

  • Restrict the objects that users can see. For example, you can create a business stats dashboard that is only viewable by your executive team, and an error-reporting dashboard that is only viewable by your development team.
  • Restrict the data that users can see. For example, your ops team might only be authorized to see syslog data, while your development team may only see Log4J and Apache data. So, you could create a specific app for each team that showcases the different types of data each team needs to access. When these users log into Splunk Enterprise, they see only the apps they have permission to see.
  • Restrict the ability to create or edit objects. Depending on permissions, certain users might only be able to create or edit objects within an app, while other users might be able to create or edit objects that are available to their user roles. For example, when a user creates a report, it is saved in their user directory under $SPLUNK_HOME/etc/users/user_name and available only to that user. Users can promote objects from their user level to the app level if they have write permissions on the app. The promoted object moves in the file system from the user directory to the app directory, $SPLUNK_HOME/etc/apps/app_name. Then, the object is made available to all users who have read access within that app.

For more about users and roles, see About users and roles in the Admin Manual. For more about how to restrict your users and roles to only the data they should see, see Setting access to manager consoles and apps in the Securing Splunk Enterprise manual.

To control how users access your app and its objects, you can set permissions using Splunk Web settings (recommended) or by modifying Splunk Enterprise files directly:

 

Set permissions in Splunk Web

Set permissions on a per-object and per-app basis in Splunk Web:

  1. In Splunk Web, go to Settings, then under Knowledge click a category of objects or click All configurations.
  2. Click Permissions for the object for which you want to edit permissions.
  3. Select an option for the app context (all apps or the object's current app), and then set read and/or write permissions for all the roles listed.
  4. Click Save.

 

Set permissions in the file system

Edit the permissions file (default.meta) in your app to set read/write permissions for all the objects in your app:

  1. In a text editor, open $SPLUNK_HOME/etc/apps/your_app_name/metadata/default.meta.
  2. Add an entry for each object, or all objects of a type, using the following format:
  3.     [<object_type>/<object_name>]
        access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
    • object_type corresponds to the type of object, including but not limited to:
    • Objectobject_type
      Alertsalert_actions
      Appsapp
      Event typeseventtypes
      HTML dashboardshtml
      Lookup tableslookups
      Reportssavedsearches
      Search scriptssearchscripts
      Simple XML dashboardsviews
      Tagstags
      Visualizationsvisualizations
    • object_name is the URL-encoded name of the object, such as "Top%20five%20sourcetypes".
    • If you don't specify an object_name, permissions apply to all objects of that type.

Example: Set permissions per object

To set permissions on a per-object basis, explicitly name the object. For example, this entry grants read and write permissions to the admin role for the "Splunk errors in the last 24 hours" saved search:

[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]

Example: Set permissions for all object of a type

This entry gives read permissions to everyone and write permissions to admin and power roles for all event types in the app:

[eventtypes]
access = read : [ * ], write : [ admin, power ]

Make objects globally available

By default, objects are only visible within the app in which they were created. To make an object available to all apps, add the following line to the object's entry in default.meta:

export = system

For example, to make all event types in the "testing" app viewable in every app in your Splunk Enterprise installation, add the following entry to $SPLUNK_HOME/etc/apps/testing/metadata/default.meta:

[eventtypes]
access = read : [ * ], write : [ admin, power ]
export = system