#   Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# commented out capabilities that are registered by their own components.
# leaving here for educational purposes.

# This file creates roles and sets granular access controls.

# These stanzas list all the capabilities in the system
[capability::accelerate_datamodel]
[capability::admin_all_objects]
[capability::edit_own_objects]
[capability::edit_tokens_settings]
[capability::change_authentication]
[capability::change_audit]
[capability::change_own_password]
[capability::edit_storage_passwords]
[capability::list_storage_passwords]
[capability::delete_by_keyword]
[capability::edit_bookmarks_mc]
[capability::edit_deployment_client]
[capability::list_deployment_client]
[capability::edit_deployment_server]
[capability::list_deployment_server]
[capability::edit_cmd]
[capability::edit_upload_and_index]
[capability::edit_tcp_stream]
[capability::list_dist_peer]
[capability::edit_dist_peer]
[capability::edit_forwarders]
[capability::edit_indexerdiscovery]
[capability::edit_httpauths]
[capability::edit_indexer_cluster]
[capability::edit_input_defaults]
[capability::install_apps]
[capability::edit_local_apps]
[capability::edit_authentication_extensions]
[capability::edit_monitor]
[capability::edit_restmap]
[capability::edit_roles]
[capability::edit_roles_grantable]
[capability::edit_scripted]
[capability::edit_search_server]
[capability::edit_search_head_clustering]
[capability::edit_search_concurrency_all]
[capability::edit_search_concurrency_scheduled]
[capability::edit_search_scheduler]
[capability::edit_search_schedule_priority]
[capability::edit_search_schedule_window]
[capability::list_pipeline_sets]
[capability::list_search_scheduler]
[capability::list_introspection]
[capability::list_settings]
[capability::list_metrics_catalog]
[capability::edit_tokens_all]
[capability::edit_tokens_own]
[capability::list_tokens_own]
[capability::list_tokens_scs]
[capability::edit_server]
[capability::edit_user_seed]
[capability::edit_field_filter]
[capability::view_field_filter]
[capability::edit_sourcetypes]
[capability::edit_splunktcp]
[capability::edit_splunktcp_ssl]
[capability::edit_splunktcp_token]
[capability::edit_statsd_transforms]
[capability::edit_metric_schema]
[capability::edit_tcp]
[capability::edit_udp]
[capability::edit_telemetry_settings]
[capability::edit_user]
[capability::list_all_users]
[capability::list_all_roles]
[capability::edit_view_html]
[capability::edit_web_settings]
[capability::get_metadata]
[capability::get_typeahead]
[capability::get_diag]
[capability::indexes_edit]
[capability::input_file]
[capability::license_edit]
[capability::license_read]
[capability::license_tab]
[capability::license_view_warnings]
[capability::list_all_objects]
[capability::list_forwarders]
[capability::list_indexerdiscovery]
[capability::list_httpauths]
[capability::list_indexer_cluster]
[capability::list_inputs]
[capability::list_search_head_clustering]
[capability::output_file]
[capability::request_remote_tok]
[capability::rest_apps_management]
[capability::rest_apps_view]
[capability::rest_properties_get]
[capability::rest_properties_set]
[capability::restart_splunkd]
[capability::restart_reason]
[capability::rtsearch]
[capability::run_commands_ignoring_field_filter]
[capability::run_debug_commands]
[capability::run_walklex]
[capability::schedule_search]
[capability::metric_alerts]
[capability::schedule_rtsearch]
[capability::search]
[capability::accelerate_search]
[capability::list_accelerate_search]
[capability::embed_report]
[capability::pattern_detect]
[capability::list_token_http]
[capability::edit_token_http]
[capability::web_debug]
[capability::export_results_is_visible]
[capability::edit_server_crl]
[capability::search_process_config_refresh]
[capability::dispatch_rest_to_indexers]
[capability::refresh_application_licenses]
[capability::edit_encryption_key_provider]
[capability::never_lockout]
[capability::never_expire]
[capability::list_health]
[capability::list_health_subset]
[capability::edit_health]
[capability::edit_health_subset]
[capability::request_pstacks]
[capability::edit_watchdog]
[capability::list_workload_pools]
[capability::edit_workload_pools]
[capability::select_workload_pools]
[capability::list_workload_rules]
[capability::edit_workload_rules]
[capability::list_workload_policy]
[capability::edit_workload_policy]
[capability::run_collect]
[capability::run_mcollect]
[capability::list_tokens_all]
[capability::upload_lookup_files]
[capability::upload_mmdb_files]
[capability::create_external_lookup]
[capability::edit_external_lookup]
[capability::apps_restore]
[capability::apps_backup]
[capability::edit_metrics_rollup]
[capability::list_cascading_plans]
[capability::list_remote_output_queue]
[capability::list_remote_input_queue]
[capability::run_msearch]
[capability::delete_messages]
[capability::edit_log_alert_event]
[capability::edit_global_banner]
[capability::fsh_manage]
[capability::fsh_search]
[capability::edit_kvstore]
[capability::use_remote_proxy]
[capability::edit_manager_xml]
[capability::run_dump]
[capability::run_sendalert]
[capability::run_custom_command]
[capability::list_ingest_rulesets]
[capability::edit_ingest_rulesets]
[capability::capture_ingest_events]
[capability::merge_buckets]
[capability::read_internal_libraries_settings]
[capability::edit_web_features]
[capability::rest_access_server_endpoints]
[capability::edit_certificates]
[capability::list_certificates]
[capability::edit_spl2_permissions]



################################################################
################################################################
[default]
# ==== Subsumed roles ====
# ==== Capabilities   ====
schedule_rtsearch = enabled
run_collect       = enabled
run_mcollect      = enabled
edit_own_objects = enabled
list_all_objects  = enabled
# ==== Other settings ====
srchDiskQuota   = 100
srchJobsQuota   = 3
rtSrchJobsQuota = 6
srchMaxTime     = 100days
cumulativeSrchJobsQuota = 50
cumulativeRTSrchJobsQuota = 100
srchFilterSelecting = true


################################################################
################################################################
[role_user]
# ==== Subsumed roles ====
# ==== Capabilities   ====
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata        = enabled
get_typeahead       = enabled
input_file          = enabled
list_inputs         = enabled
output_file	    = enabled
upload_lookup_files = enabled
request_remote_tok  = enabled
rest_apps_view      = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search              = enabled
accelerate_search   = enabled
list_accelerate_search = enabled
pattern_detect      = enabled
list_metrics_catalog   = enabled
list_tokens_own     = enabled
export_results_is_visible  = enabled
run_collect         = enabled
run_mcollect        = enabled
delete_messages     = enabled
run_dump            = enabled
run_sendalert       = enabled
run_custom_command  = enabled
rest_access_server_endpoints = enabled
# ==== Other settings ====
srchIndexesAllowed = *
srchIndexesDefault = main


################################################################
################################################################
[role_can_delete]
# ==== Subsumed roles ====
# ==== Capabilities   ====
delete_by_keyword = enabled
# ==== Other settings ====
cumulativeSrchJobsQuota = 0
cumulativeRTSrchJobsQuota = 0
deleteIndexesAllowed = *


################################################################
################################################################
[role_power]
# ==== Subsumed roles ====
importRoles = user
# ==== Capabilities   ====
schedule_search               = enabled
metric_alerts                 = enabled
embed_report                  = enabled
rtsearch                      = enabled
edit_sourcetypes              = enabled
edit_statsd_transforms        = enabled
search_process_config_refresh = enabled
edit_log_alert_event          = enabled
run_msearch                   = enabled
run_dump                      = enabled
run_sendalert                 = enabled
run_custom_command            = enabled
rest_access_server_endpoints  = enabled
view_field_filter             = enabled
run_commands_ignoring_field_filter = enabled
# ==== Other settings ====
srchIndexesAllowed = *
srchIndexesDefault = main
srchDiskQuota   = 500
srchJobsQuota   = 10
rtSrchJobsQuota = 20
cumulativeSrchJobsQuota = 100
cumulativeRTSrchJobsQuota = 200

################################################################
################################################################
[role_admin]
# ==== Subsumed roles ====
importRoles = power;user
# ==== Capabilities   ====
accelerate_datamodel   = enabled
admin_all_objects      = enabled
edit_tokens_settings    = enabled
change_authentication  = enabled
change_audit           = enabled
edit_bookmarks_mc      = enabled
create_external_lookup = enabled
edit_external_lookup = enabled
edit_deployment_client = enabled
list_deployment_client = enabled
edit_deployment_server = enabled
list_deployment_server = enabled
list_search_head_clustering = enabled
dispatch_rest_to_indexers = enabled
edit_authentication_extensions = enabled
edit_cmd               = enabled
edit_upload_and_index  = enabled
edit_tcp_stream        = enabled
list_dist_peer         = enabled
edit_dist_peer         = enabled
edit_field_filter       = enabled
view_field_filter       = enabled
edit_restmap           = enabled
edit_forwarders        = enabled
edit_indexerdiscovery  = enabled
edit_httpauths         = enabled
edit_indexer_cluster   = enabled
edit_input_defaults    = enabled
list_introspection     = enabled
edit_local_apps        = enabled
edit_monitor           = enabled
edit_tokens_own        = enabled
edit_roles             = enabled
edit_scripted          = enabled
edit_search_concurrency_all = enabled
edit_search_head_clustering = enabled
edit_search_server     = enabled
edit_search_scheduler  = enabled
edit_search_schedule_priority = enabled
edit_tokens_all        = enabled
list_tokens_all        = enabled
edit_certificates = enabled
list_certificates = enabled
edit_spl2_permissions = enabled
list_indexer_cluster   = enabled
list_pipeline_sets = enabled
list_search_scheduler  = enabled
list_settings          = enabled
edit_server            = enabled
edit_user_seed         = enabled
edit_splunktcp         = enabled
edit_splunktcp_ssl     = enabled
edit_splunktcp_token   = enabled
edit_tcp               = enabled
edit_udp               = enabled
edit_telemetry_settings = enabled
edit_user              = enabled
edit_view_html         = enabled
edit_web_settings      = enabled
get_diag               = enabled
indexes_edit           = enabled
install_apps           = enabled
license_edit           = enabled
license_tab            = enabled
license_view_warnings  = enabled
refresh_application_licenses = enabled
list_forwarders        = enabled
list_indexerdiscovery  = enabled
list_httpauths         = enabled
rest_apps_management   = enabled
restart_splunkd        = enabled
restart_reason         = enabled
run_debug_commands     = enabled
list_token_http        = enabled
edit_token_http        = enabled
web_debug              = enabled
search_process_config_refresh = enabled
edit_server_crl        = enabled
edit_storage_passwords  = enabled
list_storage_passwords  = enabled
edit_encryption_key_provider = enabled
never_lockout          = enabled
never_expire           = enabled
list_health            = enabled
edit_health            = enabled
apps_restore           = enabled
apps_backup            = enabled
fsh_manage             = enabled
fsh_search             = enabled
edit_workload_pools    = enabled
list_workload_pools    = enabled
select_workload_pools  = enabled
edit_workload_rules    = enabled
list_workload_rules    = enabled
list_workload_policy = enabled
edit_workload_policy = enabled
edit_metric_schema     = enabled
edit_metrics_rollup    = enabled
list_cascading_plans   = enabled
list_remote_output_queue = enabled
list_remote_input_queue  = enabled
list_ingest_rulesets     = enabled
edit_ingest_rulesets     = enabled
capture_ingest_events    = enabled
edit_log_alert_event    = enabled
edit_global_banner      = enabled
read_internal_libraries_settings = enabled
edit_web_features       = enabled
edit_kvstore            = enabled
upload_mmdb_files       = enabled
use_remote_proxy        = enabled
edit_manager_xml        = enabled
merge_buckets           = enabled


# ==== Other settings ====
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os
srchFilter    = *
srchTimeWin   = 0
srchTimeEarliest = 0
srchDiskQuota   = 10000
srchJobsQuota   = 50
rtSrchJobsQuota = 100
cumulativeSrchJobsQuota = 200
cumulativeRTSrchJobsQuota = 400

################################################################
################################################################
[role_splunk-system-role]
# ==== Subsumed roles ====
importRoles = admin
# ==== Capabilities   ====
# ==== Other settings ====


################################################################
################################################################
[tokens_auth]
expiration = +30d
ephemeralExpiration = +1h
disabled = false