I have an admin-in-training, that requires access to see everything but NO access to change anything.
I am on version 7.3.3.
Is there a way to create an Admin-read-only role?
If not, any best practices (in splunk enterprise) to audit a user with admin-role, is greatly appreciated.
Thank you Rich, checking, will reply with results.
Unfortunately your suggestions work for only a limited number of items.
For instance, I was not able to give the read-only role access to the "access control" settings nor limit app management for the read-only role, the role had full power to disable, etc.
Therefor we will need to audit the confs and give the user full admin.
However, I will accept your answer as it partially worked.