https://community.splunk.com/t5/Getting-Data-In/Can-I-create-an-admin-role-that-doesn-t-have-access-to-delete-by/m-p/416759#M73594 <P>In the Web UI under Settings &gt; Access controls &gt; Roles &gt; New Role, create a role called subadmin [or name of your choice]. In the Capabilities section select ‘add all’ in the Available capabilities. </P> <P>Next, under the Selected capabilities panel remove:</P> <P>• delete_by_keyword<BR /> • edit_roles</P> <P>If there are any other capabilities you want to remove from the subadmin role, return them to the Available capabilities panel. </P> <P>Edit the $SPLUNK_HOME/etc/system/local/authorize.conf file [DO NOT change the $SPLUNK_HOME/etc/system/default/authorize.conf] by adding this entry under the [role_subadmin]:</P> <P>[role_subadmin]<BR /> grantableRoles = subadmin</P> <P>Save the changes, go back to Access controls &gt; Authentication method and select the ‘Reload authentication configuration’. This will read the Authorize.conf file and apply the changes above. </P> <P>Assign all the admins to this new role (subadmin) who should not have the ability delete data or to let anyone else delete data. These users will not have that option [delete_by_keyword] in their list of capabilities, nor will they have the role ‘can_delete’. </P> Tue, 29 Sep 2020 22:14:05 GMT tchimento 2020-09-29T22:14:05Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-an-admin-role-that-doesn-t-have-access-to-delete-by/m-p/416758#M73593 <P>There are regulatory guidelines for some institutions, such as banks, that put strict limits on the option to delete data. I need to have that limit. </P> Fri, 30 Nov 2018 23:36:11 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-an-admin-role-that-doesn-t-have-access-to-delete-by/m-p/416758#M73593 tchimento 2018-11-30T23:36:11Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-an-admin-role-that-doesn-t-have-access-to-delete-by/m-p/416759#M73594 <P>In the Web UI under Settings &gt; Access controls &gt; Roles &gt; New Role, create a role called subadmin [or name of your choice]. In the Capabilities section select ‘add all’ in the Available capabilities. </P> <P>Next, under the Selected capabilities panel remove:</P> <P>• delete_by_keyword<BR /> • edit_roles</P> <P>If there are any other capabilities you want to remove from the subadmin role, return them to the Available capabilities panel. </P> <P>Edit the $SPLUNK_HOME/etc/system/local/authorize.conf file [DO NOT change the $SPLUNK_HOME/etc/system/default/authorize.conf] by adding this entry under the [role_subadmin]:</P> <P>[role_subadmin]<BR /> grantableRoles = subadmin</P> <P>Save the changes, go back to Access controls &gt; Authentication method and select the ‘Reload authentication configuration’. This will read the Authorize.conf file and apply the changes above. </P> <P>Assign all the admins to this new role (subadmin) who should not have the ability delete data or to let anyone else delete data. These users will not have that option [delete_by_keyword] in their list of capabilities, nor will they have the role ‘can_delete’. </P> Tue, 29 Sep 2020 22:14:05 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-an-admin-role-that-doesn-t-have-access-to-delete-by/m-p/416759#M73594 tchimento 2020-09-29T22:14:05Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-an-admin-role-that-doesn-t-have-access-to-delete-by/m-p/416760#M73595 <P>Also note that you MUST keep edit_grantable_roles in the new admin account. That replaces the edit_roles that was disabled/unselected. </P> Tue, 29 Sep 2020 22:14:07 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-an-admin-role-that-doesn-t-have-access-to-delete-by/m-p/416760#M73595 tchimento 2020-09-29T22:14:07Z