Getting Data In
Highlighted

Remove capabilities in authorize.conf

New Member

I see capabilities in Splunk are defined in the authorize.conf. For security reason, i want to disable the delete by keyword capabilities in Splunk so no user could delete any data in splunk.

Could I just delete the line which define capabilities and all roles related to it.

Tags (2)
0 Karma
Highlighted

Re: Remove capabilities in authorize.conf

Path Finder

I just tried this out myself. Just comment out this line in $SPLUNK_HOME/etc/system/default/authorize.conf and restart Splunk.

# [capability::delete_by_keyword]

The capability will no longer exist for the can_delete role, and you won't be able to assign it to any other role in the Splunk UI.