What capabilities are needed for a non-admin user ...

wrangler2x · ‎11-02-2018

We've got a special role for non-admin security team members and I'd like some of them to be able to use Forwarder Management (in the Settings menu) to add new clients to a Server Class. I can't figure out what the required Capabilities are that need to be added to their role.

srauhala_splunk · ‎03-23-2021

Creating a specific role to manage deployment servers serverclass I experienced the same issue with

User 'ds_user' with roles { ds_role, ds_user, user } cannot write: /nobody/system/serverclass/serverClass:My_server_class:app:my_app/restartSplunkWeb { read : [ * ], write : [ admin ] }, removable: no

The ds_role has the capabilities:
edit_deployment_client,
edit_deployment_server,
list_deployment_client
list_deployment_server

To be able to add an app to a serverclass the only option was to give the capability admin_all_objects. Which effectively would make ds_role users admins.

To avoid this our workaround was to edit /opt/splunk/etc/system/metadata/local.meta to grant write privilege for ds_role to serverclass objects

#On Deployment Server
#/opt/splunk/etc/system/metadata/local.meta
[serverclass]
access = write : [ admin, ds_role ]
export = system

Rob2520 · ‎11-02-2018

I personally never gave that capability to anyone. But you could try edit_deployment_client, edit_deployment_server, list_deployment_server capabilities.

wrangler2x · ‎11-05-2018

I downvoted this post because not working fully as it should.

wrangler2x · ‎11-05-2018

With the three I mentioned above, he was able to add systems to the whitelist of clients in a Server Class, and he was able to create a new Server Class. However, he was not able to add an application to the new Server Class. I added back in the edit_deployment_client but this made no difference. It throws the following error when you try to save after editing settings and a similar one when trying to add an app:

User 'cinders' with roles { cinders, user, user_oit_security } cannot write: /nobody/system/serverclass/serverClass:OIT_SC_winevent_index_ADFS:app:OIT_DA_winevent_index_ADFS/restartSplunkWeb { read : [ * ], write : [admin ] }, removable: no

kscher · ‎04-17-2019

I have the same issue. It looks like the "edit_deployment_server" capability should confer this permission, but it doesn't. It looks like this could be worked-around by editing some metadata (which one, I wonder, $SPLUNK_HOME/etc/system/metadata/local.meta?), and adding the proper role at some level. But I don't want to mess with that. I want the capability to work the way you'd expect.

emallinger · ‎05-06-2022

Hello,

I wonder if there is an answer to that question ?

I'm stuck on it as well.

Thanks,

Ema

wrangler2x · ‎11-05-2018

In order to edit the Server Classes you need to have edit_deployment_server turned on. This allows creating/editing Server Classes, adding an app to the Server Class, and editing the client list. I did not have to enable edit_deployment_client for these functions, which is what I want this person to do be able to do, so I have left that off. I also enabled list_deployment_client and list_deployment_server.

What capabilities are needed for a non-admin user to update Server Classes and Clients in Settings -> Forwarder Management

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation