Roles
Roles are assigned to users, and at least one role must be assigned to a user. Roles contain a list of capabilities that defines which actions users can perform on the Splunk platform. In other words, capabilities are nothing but a list of permissions given to a role—for example, run a search, run a scheduled search, run a real-time search, and so on.
Along with capabilities, a role provides configurable options for which indexes the user is allowed to query, to restrict them further through a search filter approach, and to set quotas such as disk-space limit and user-level search limits. The following screenshot shows the list of configurable options a role contains:
Figure 3.4: Edit Role configurable options
Splunk Enterprise ships with the following default roles. Along with them, a Splunk administrator can create a custom role by inheriting an existing role. Custom roles that inherit existing roles inherit the parent role capabilities...
