Default Roles & Capabilities

Splunk uses a role-based access control (RBAC) system. Every user is assigned one or more roles that determine what they can see and do.

The three default roles are: admin (full access), power (can create shared objects and schedule searches), and user (basic search and personal object creation).

Each role has a set of capabilities — fine-grained permissions like "edit_tcp", "list_inputs", or "schedule_search". Custom roles inherit capabilities from parent roles.