5. Difference between roles and capabilities?

When you create a user on the Splunk platform, you assign one or more roles to the user as part of the user creation process. Each role contains a set of capabilities. These capabilities define what users who hold a certain role can do.

For example, if a user ‘finn’ holds the edit_tokens_settings role, this means that ‘finn’ can make changes to the Token Authentication scheme on the instance. If they hold the admin_all_objects capability, they can make changes to any object on the instance.

You can add, edit, or remove capabilities for new, existing, and default roles. Doing this changes the kind of access that the role provides. For example, you might give a role the capability to add inputs or edit saved searches.

Capabilities are always additive in nature. There is no way to take away an ability to do something by adding a capability. If you don’t want users who hold a role to perform a certain function on your Splunk platform instance, then do not assign a capability that grants the ability to perform that function to that role.

Similarly, users who hold multiple roles receive all the benefits of any capabilities that are assigned to those roles. If you do not want a certain user to have access to all the capabilities that a role provides, do not assign that role to that user.