List Roles
List all roles and the permissions for each role in Splunk Enterprise Security.
Options
| Field | Definition | Type | Required |
|---|---|---|---|
|
Result Set |
Choose a method to filter search results:
|
Dropdown |
TRUE |
Input
| Field | Definition | Type | Required |
|---|---|---|---|
|
Streaming |
|||
|
Flow |
Click Choose Flow to browse and select a helper flow where the search results will be streamed, then click Choose to confirm. Optionally, click the empty field under Click or drop here to create and add custom extensible fields that pass data to the helper flow. These fields are added as key/value pairs under the State output object in the helper flow. |
Flow |
TRUE |
|
Record Limit |
Specify the number of records to stream.
|
Number |
FALSE |
Output
| Field | Definition | Type |
|---|---|---|
|
Result |
||
|
Roles |
The roles object. |
List of Objects |
|
Name |
Unique name of the role. |
Text |
|
ID |
Unique identifier of the role. |
Text |
|
Author |
The user who created the role. By default, the author is System. |
Text |
|
Capabilities |
List of capabilities assigned to the role. |
List of Text |
|
Cumulative Real Time Search Jobs Quota |
Maximum number of concurrently running real-time searches for all role members. A warning message is logged when the limit is reached. |
Number |
|
Cumulative Search Jobs Quota |
Maximum number of concurrently running searches for all role members. A warning message is logged when the limit is reached. |
Number |
|
Default App |
The name of the app to use as the default app for this role. A user-specific default app overrides this. |
Text |
|
Imported Capabilities |
List of capabilities assigned to role made available from imported roles. |
List of Text |
|
Imported Roles |
List of imported roles for this role. Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is the value with the broadest permissions. |
List of Text |
|
Grantable Roles |
Grantable roles allow administrators to specify which roles a user can assign to another user. This
enables a more granular delegation of administrative tasks. |
List of Text |
|
Imported Real Time Search Jobs Quota |
The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit. It specifies the quota imported from other roles. |
Number |
|
Imported Search Disk Quota |
The maximum disk space in MB a user's search jobs can use. For example, a value of 100 limits this role to 100 MB total. It specifies the quota for this role that are imported from other roles. |
Number |
|
Imported Search Filter |
Search string imported from other roles. It restricts the scope of searches run by this role. Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they're combined with an OR operator. |
Text |
|
Imported Search Index Allowed |
A list of indexes imported from other roles that this role has permissions to search. |
List of Text |
|
Imported Search Index Default |
The default search index for a list of indexes imported from other roles if no index is specified in a search. |
List of Text |
|
Imported Search Jobs Quota |
The maximum number of historical searches for this role that are imported from other roles. |
Number |
|
Imported Search Time Win |
The maximum time span of a search in seconds. A value of 0 indicates searches that aren't limited to any specific time window. It specifies the limit from imported roles. |
Number |
|
Imported Search Time Earliest |
This field controls the earliest time that a user can search for data, limiting the search history accessible to them. It's configured in seconds, and a value of -1 means no limit. It specifies the quota for this role that are imported from other roles. |
Number |
|
Real Time Search Jobs Quota |
The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit. |
Number |
|
Search Disk Quota |
The maximum disk space in MB that a user's search jobs can use. For example, a value of 100 limits this role to 100 MB total. |
Number |
|
Search Filter |
Search string that restricts the scope of searches run by this role. Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they're combined with an OR operator. |
Text |
|
Search Indexes Allowed |
A list of indexes this role has permissions to search. |
List of Text |
|
Search Jobs Quota |
The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit. |
Number |
|
Search Time Win |
Maximum time span of a search, in seconds. A value of 0 indicates searches that aren't limited to any specific time window. |
Number |
|
Search Time Earliest |
This field controls the earliest time that a user can search for data, limiting the search history accessible to them. It's configured in seconds, and a value of -1 means no limit. |
Number |
|
Search Indexes Disallowed |
A list of indexes this role doesn't have permissions to search. |
List of Text |
|
Search Indexes Default |
List of search indexes that default to this role when no index is specified. |
List of Text |
|
Imported Search Indexes Disallowed |
A list of indexes imported roles don't have permissions to search. |
List of Text |
|
Records Streamed |
The total number of records streamed. |
Number |
Related topics
Splunk Enterprise Security connector
Cards in flows