This configuration stores definitions of capabilities and roles. These settings affect search and the web interface. They are generally managed through the interface at Settings | Access controls, but a quick look at the configuration itself may be useful.
A role stanza looks like this:
[role_power] importRoles = user schedule_search = enabled rtsearch = enabled srchIndexesAllowed = * srchIndexesDefault = main srchDiskQuota = 500 srchJobsQuota = 10 rtSrchJobsQuota = 20
Let's walk through these settings:
- importRoles: This is a list of roles to import capabilities from. The set of capabilities will be the merging of capabilities from imported roles and added capabilities.
- schedule_search and rtsearch: These are two capabilities enabled for the role power that were not necessarily enabled for the imported roles.
- srchIndexesAllowed: This determines what indexes this role is allowed to search. In this case, all are allowed.
- srchIndexesDefault: This determines the indexes to search by default. This setting also affects the data shown in Search | Summary. If you have installed the ImplementingSplunkDataGenerator app, you will see the impl_splunk_* source types on this page even though this data is actually stored in the implsplunk index.
- srchDiskQuota: Whenever a search is run, the results are stored on the disk until they expire. The expiration can be set explicitly when creating a saved search, but the expiration is automatically set for interactive searches. Users can delete old results from the Jobs view.
- srchJobsQuota: Each user is limited to a certain number of concurrently running searches. The default is three. Users with the power role are allowed 10, while those with the admin role are allowed 50.
- rtSrchJobsQuota: Similarly, this is the maximum number of concurrently running real-time searches. The default is six.