nobody runs as the splunk system user and by default that has admin access.
So you probably don't want to reassign to nobody.
Furthermore depending on write permissions the original users might lose the ability to edit the knowledge objects. They will likely lose the ability to remove the objects too...
I understand the code has issues with the KO's not being owned and a person loosing access to edit them. So, I'd suggest the system auto reassigns it to a created by splunk user when it gets shared. And they keep rights to edit if they have shared access. It's really something odd to keep having to manage. Either that or someone needs to come up with a better way to manage it.
nobody runs as the splunk system user and by default that has admin access.
So you probably don't want to reassign to nobody.
Furthermore depending on write permissions the original users might lose the ability to edit the knowledge objects. They will likely lose the ability to remove the objects too...
Hi @gjanders,
Thanks for the response! Appreciate it. We're planning on just creating something like a local service account and we'll assign the savedsearches there, with the necessary permissions and quotas.
Just a question, would you know if the savedsearches would still run if let's say for example it's owner already has expired password?
I do not believe password expiry triggers that scenario (happy to be corrected)
A disabled account *and* a restart of the SH or a refresh of the ldap cache should trigger this...