We want to be able to create a Splunk user that has admin rights but can not log into the Splunk Web UI. This user will be used for REST API access only.
Very odd use case. I agree with @jonmargulies. I do not understand why the person get all admin permission without web access.
Well, give one splunk instance without running Splunkweb. But, again, if the user have full admin access, he/she may be able to enable SplunkWeb and restart Splunk.
Here are options that may solve your problem:
1) Switch Splunk to SSO strict mode and connect it to a single sign-on solution so the web UI no longer allows users to manually enter a username/password (documentation here: https://docs.splunk.com/Documentation/Splunk/6.5.3/Security/ConfigureSplunkSSO). Then add all your WebUI users to the SSO solution, but add your admin/REST user to Splunk only--not the SSO solution. If that user ever tries to authenticate to the WebUI, the SSO solution will reject it. But when that user tries to authenticate on the management port, Splunk will bypass the SSO solution (you will have to add the source address that you expect REST queries to come from to the trustedIP list, and just for good measure you should have iptables specifically block the Splunk web port from that IP).
2) I bet you can do something similar to the above by setting up multifactor authentication using Duo (https://docs.splunk.com/Documentation/Splunk/6.5.3/Security/AboutMultiFactorAuth). My guess--I can't find any documentation that addresses it--is that the Splunk management port bypasses Duo just like it bypasses SSO. If that's the case, you'd just have to set up a second factor for the REST account and then destroy that second factor; that way that account can still use its username/password to login through the management port, but it won't have the second factor required to login to Splunk Web.
A couple of things you should consider if you do what you're intending: If you're giving this account admin privileges, it can create another account that has admin and web UI privileges (SSO example above notwithstanding). You can create an alert to look out for that, but this account can also disable that alert. You can create an alert that looks for the account disabling that alert, but... turtles all the way down. So think carefully about those possibilities before you put your trust in this solution.
Based on what I can see from the capabilities that are available in Splunk, there is no capability that manages access to Splunk Web (see this http://docs.splunk.com/Documentation/Splunk/6.5.3/Security/Rolesandcapabilities), so my guess is that it's not possible to have a non web UI user/role.
interesting