How to disable REST API access for a user


I want to disable REST API access for a user. In other words, he/she should be able to log in to Splunk Web and run searches where as they should not have provision to run searches via API calls.

I tried disabling the below capability for the user in authorize.conf, but it does not block the user from accessing REST API


Is there any way we can configure these capability for the user?


If the underlying issue is a user running hundreds of automated searches via API, then you might want to consider reassigning them to a new role that has a very low max concurrent search setting, until they demonstrate good citizenship.

Also, if they are obviously wasting resources, then check the searches that they ARE running, to make sure they aren't doing something silly like running a realtime search "for all time" and wondering why it never finishes, so they submit it again.

0 Karma


Hi DalJeanis. I also need to disable REST API for some roles , letting it open to some others.

My goal is to limit the first group to a specific set of dashboards (I've removed permisson to the search dashboard) and prevent them to use the REST api to do ad-hoc searches. At the same time there are some other roles that should maintain the REST access.

Do you have some advise?

0 Karma

Splunk Employee
Splunk Employee

I don't think this is possible because splunkweb UI uses the REST API itself. You could disable access to port 8089 on your search head for any host other than localhost (ie. the search head itself), but that's an all or nothing approach.
From a security perspective, if a user has permission to search via the UI, he/she has permission to search from wherever.
If you want to elaborate on your use case, maybe there is another way to achieve what you need.


Hi ssievert,

We have two set of user profiles as per our Client's standard. One profile is for users to access the UI and run searches, create reports and dashboards etc. The other profile is for application user accounts to access SPLUNK REST API from specific application to search for data.

However, we have few UI users accessing REST API programatically and are running hundreds of searches which we want to restrict. Also, we want to allow only the application user accounts to access the REST API.

Hope I have provided enough details on what we are trying to do

0 Karma


I want to disable rest api.
How to?

0 Karma


Any latest suggestions/workaround to achieve this? We have a similar use case where we don't want all the users connection via REST

0 Karma


Have you checked which roles are being applied to the user. If any one of the roles has those capabilities, they would automatically be inherited.

0 Karma


yes. I have checked the capabilities. Disabling the search capability restricts the user from accessing REST API but that also blocks the UI search capability.

I am interested in blocking the REST API access alone.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...