Here is the solution for this question,
Solution recommended by Splunk
Yes, this is doable, I just helped someone in a similar situation. There are two ways, you can have permissions so that when someone is creating a new search they can start out creating it shareable (i.e. for the app) or the more user friendly way where they can just select the search and change owner from Private to App. To do the latter, you need to create a role that has global write access to that app, then assign this role to the appropriate users.
1.) Create a new role.
2.) As an admin user, in the Splunk Bar at the top of the web interface, select Apps -> Manage Apps . Find the app(s) you'd like to grand permission for and select "Permissions" under the Sharing column. In this list, for the app you're editing permissions, you should see your new role visible, select the checkmark for the write column to enable that role. Then try accessing with a user given that new role and they should be able to share their saved search (change ownership). Alternatively, you could just grant the user role write access to the app (but this would be open to all users, in case you only wanted some users to save searches to an app). A work around without doing anything could also be to have them edit their search and do a "Save As", where they make sure the App is selected to be shared with and save a copy of the search to make available to users. (This might require creating specialized permissions as well, shown in the links below).
If you're curious to see the settings in files to edit, they are in app metadata files. Here are a couple official links with the information above and what we discussed:
I hope this helps everyone, I followed the second option and it works.
To share dashboards the user must have write permissions to the app they want to share the dashboard in. Granting power user will do this, but as stated previously, it is almost certainly overkill.
Instead, I'd suggest creating an app that members of a new role (which you also need to create, and add mentioned users to) has been granted write permission on. The default.meta for this app might look like:
 access = read : [ * ], write : [<newrolename>]
I've implemented a custom app where I want the ability to share dashboards seemlessly for my users. As an additional step to make this more seemless I replaced the dashboards navigation button in the search app to go to my custom app and have the custom app's everything else link back to the search app. It ended up being pretty slick and not having to train a new app switching behavior.
I modified the following files:
<nav search_view="search" color="#5CC05C"> <view name="search" default="true" /> <view name="datasets" /> <view name="reports" /> <view name="alerts" /> <a href="/app/CUSTOM_APP_NAME/dashboards">Dashboards</a> </nav>
and edited the same file in my custom app:
<nav search_view="dashboards"> <a href="/app/search/search">Search</a> <a href="/app/search/datasets">Datasets</a> <a href="/app/search/datasets">Reports</a> <a href="/app/search/alerts">Alerts</a> <view name="dashboards" /> </nav>
This ultimately makes it so that from an end user's perspective they do not have to be trained to use the app switcher. This will simply give them the same workflow they would expect when using the search app to create and share dashboards but will seemlessly switch between the two apps using the main navigation bar in each.
I read the above chain, and yes, Power User will enable users to change permissions and share their dashboards, but the problem is that it also enables way too much capability. For example, the first thing I noticed was that this user (now Power User) can also see all dashboards and indexes -- even if their role includes both Power and User.
It seems the permission model is not applying least-privileged principles...
Correct. Splunk uses a most-privileged security model
As a rule, members of multiple roles inherit properties from the role with the broadest permissions.
Dashboards are shared in the context of the app they are part of. You can share a dashboard with the other users who have permission to see that app. See Configure dashboard permissions in the Dashboards and Visualizations manual.
That's odd, even with basic user permissions, people should be able to share a dashboard with another user. I am not sure of the specific capability that enables you to share a dashboard in an app. It might be
admin_all_objects, which would grant more permission than you probably want.
Yes, that is what I meant when I said "more permission than you probably want."
Someone with more thorough knowledge of capabilities than I have might be able to offer more detailed guidance.
I asked this question in october last year
What permissions can I give a role that will allow users to share searches and dashboards?
I tested the answer and could see that you need to have power user as a minimum to share dashboards