https://community.splunk.com/t5/Splunk-Enterprise/Do-new-roles-become-grantable-roles-by-default-in-Splunk/m-p/223892#M8267 <P>Hi gk6565, </P> <P>It really depends on from which roles(s) your new role inherits from. <BR /> Among the system built-in roles, only admin has the edit_roles_grantable Capability by default. <BR /> If you want to separate and delegate administration tasks between sys-admins and data admins without granting full admin role, restrict grantable capabilities only to the level sub-admins. After you add the edit_roles_grantable capability to the sub-admin role, the role can only create roles with subset of the capabilities that the current user role has. <BR /> For example: <BR /> Add new role user_admin by inheriting from power and user, and assigning the following capabilities to the role: </P> <UL> <LI>edit_roles_grantable</LI> <LI>edit_user</LI> </UL> <P>Users in this roles can only assign limited roles to users. </P> <P>Hope it helps. Thanks!<BR /> Hunter</P> Tue, 29 Sep 2020 12:24:42 GMT hunters_splunk 2020-09-29T12:24:42Z https://community.splunk.com/t5/Splunk-Enterprise/Do-new-roles-become-grantable-roles-by-default-in-Splunk/m-p/223891#M8266 <P>Do new roles become grantable roles by default in Splunk?</P> <P>I'm using Splunk 6.4.2.</P> <P>I have created a <CODE>delegated admin</CODE> role with one user (say <CODE>d_admin</CODE> for instance). Here is its definition, as given by the <A href="http://mindmajix.com/splunk-training">splunk</A> cli:</P> <PRE><CODE>role: delegated_admin capabilities: edit_roles_grantable edit_user rest_apps_view rest_properties_get default app: grantable_roles: dashboard_designer;dashboard_viewer imported_capabilities: imported_roles: searchable_indexes: default_index: </CODE></PRE> <P><CODE>dashboard_designer</CODE> and <CODE>dashboard_viewer</CODE> are nothing special, I just use them to define permissions on apps and dashboards.</P> <P>Now, when I log into <CODE>d_admin</CODE> and create a new role (e.g <CODE>new_role</CODE>), I can see and manage it just as if it was in the <CODE>grantable_roles</CODE> list, but it is not. I am not at liberty to test if that survives a cold reboot.</P> <P>My question here is : </P> <P>Is that a undocumented feature that I can rely on or is that some sort of bug that will bite me if I trust it?</P> <P>Regards,<BR /> Kiran</P> Mon, 09 Jan 2017 11:28:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/Do-new-roles-become-grantable-roles-by-default-in-Splunk/m-p/223891#M8266 gk6565 2017-01-09T11:28:58Z https://community.splunk.com/t5/Splunk-Enterprise/Do-new-roles-become-grantable-roles-by-default-in-Splunk/m-p/223892#M8267 <P>Hi gk6565, </P> <P>It really depends on from which roles(s) your new role inherits from. <BR /> Among the system built-in roles, only admin has the edit_roles_grantable Capability by default. <BR /> If you want to separate and delegate administration tasks between sys-admins and data admins without granting full admin role, restrict grantable capabilities only to the level sub-admins. After you add the edit_roles_grantable capability to the sub-admin role, the role can only create roles with subset of the capabilities that the current user role has. <BR /> For example: <BR /> Add new role user_admin by inheriting from power and user, and assigning the following capabilities to the role: </P> <UL> <LI>edit_roles_grantable</LI> <LI>edit_user</LI> </UL> <P>Users in this roles can only assign limited roles to users. </P> <P>Hope it helps. Thanks!<BR /> Hunter</P> Tue, 29 Sep 2020 12:24:42 GMT https://community.splunk.com/t5/Splunk-Enterprise/Do-new-roles-become-grantable-roles-by-default-in-Splunk/m-p/223892#M8267 hunters_splunk 2020-09-29T12:24:42Z