I had a similar thing happen. Mine was closed and I was told to post on Splunk Ideas.

Here's the post in case anyone wants to upvote it:
https://ideas.splunk.com/ideas/EID-I-854

Seems based on one reply that is was supposedly "under investigation" but that was 2 years ago and still seems to be an issue in 9.0.4.

I'm the team member responsible for managing this type of thing for all of the teams who use our enterprise wide Splunk environment but do not have the access/permissions to use a lot of the solutions people are suggesting on this thread so it's still a bit frustrating that we have objects owned by users who left the company 4 years ago.

That actually isn't true....

I can re-assign all other "non-search" objects from the "All configurations" page:

• props-extract (except for source based or ones with sourcetypes with colons.... see examples below)
• transforms-extract
• views
• transforms-lookup
• macros
• eventtypes
• fvtags
• fieldaliases
• workflow-actions

The only thing missing completely is calculated fields which I cannot reassign from this UI which doesn't seem to make sense when we can reassign all other objects from the UI.

I can reassign all other extracted fields and field transformations from the UI. The only ones that I cannot reassign are the ones that are source-based or are sourcetype based with a colon in the sourcetype name.

Sourcetype example:

Sourcetype: wineventlog:taskscheduler
Name: WinEventLogTaskScheduler-EventCode103Message
Regex: Task Scheduler failed to launch action \"(?P<FailedAction>[^\"]+)\" in instance \"\{(?P<FailedInstance>[^\"]+)\}\" of task \"(?P<Task>[^\"]+)\"\. Additional Data\: Error Value\: (?P<ErrorValue>[^\.]+)\. 
Field Extraction Name: wineventlog:taskscheduler : EXTRACT-WinEventLogTaskScheduler-EventCode103Message
***Please note the colon in the sourcetype name

Source example:
***I don't have a good source example that I would be able to post on here but for a fake example:

Source: this/is/a/pretend/source.log
Name: Destination
Regex: ^\w+\s\d+\s\d{2}:\d{2}:\d{2}\s(?<dest>\S+)
Field Extraction Name: source::this/is/a/pretend/source.log : EXTRACT-Destination
***Note that splunk adds the "source::" before the source.... I think the colons may be conflicting

I don't know for sure that the colon is the issue since I don't know how Splunk does the reassignment behind the scenes but based on some extensive testing I've done in my own environment (running on 8.1.3) this seems to be a common denominator....

I do have a bug investigation open with support to look into this issue.

I've encountered this issue as well - any update on how to resolve it?

The fix they recommended to me was to use the REST method. Our team does not want to use this since that is not ideal in a clustered environment. I can update this thread if anything comes from the bug investigation that was submitted.  Fingers crossed it gets updated in a future version because the UI method is so much more convenient 🤞

I used the REST method, and found that it worked even in a clustered environment (Search Heads and indexers).

Command used on a search head:
curl -k -u admin:<password> https://localhost:8089/servicesNS/<old  owner>/ING-SA-Search/data/props/extractions/<object>/acl -d 'owner=<new owner>' -d 'sharing=app'

Where object is the urlencoded version of the full field extraction name, e.g.
my:srctype : EXTRACT-SomethingInteresting
Becomes
my:srctype%20:%20EXTRACT-SomethingInteresting

I found that this change was then replicated to the other search heads appropriately

Hi @jimmoriarty , we have the same issue and tried using your workaround, but it does not work:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Action forbidden.</msg>
</messages>
</response>
Do you have any hints?
Greetings,
Justyna

Convert <object> in urlencoded version.

curl -k -u admin:<password> https://localhost:8089/servicesNS/<old  owner>/<Object App>/data/props/extractions/<object>/acl -d 'owner=<new owner>' -d 'sharing=app'

It will work