Security
Highlighted

Custom search commands and authorize.conf in 4.1?

Super Champion

When setting up a custom search command, is it still necessary to setup authorize.conf entries like this in Splunk 4.1?

[capability::run_script_dothething]

[role_Admin] 
run_script_dothething = enabled

Or has it been replaced in favor of metadata entries? Like so:

[commands/dothething]
access = read : [ admin ], write : [ admin ]
owner = nobody
export = system

Are these equivalent?

Highlighted

Re: Custom search commands and authorize.conf in 4.1?

Splunk Employee
Splunk Employee

The settings in authorize.conf for controlling access to search commands have been replaced by the settings in the .meta files as of 4.0. The run_script_* settings no longer do anything. (Also note that settings for role_Admin should be role_admin as of 4.0, as the name of the role changes from Admin to admin then.)

View solution in original post