How to set-up permissions for "app level" admins?


I want to have the following 3 levels of access:

  • User: "Belongs" to an app; can create private objects only; cannot schedule
  • App-Admin: "Belongs" to an app; can share objects to app level so other users can see/use them; can schedule
  • Admin: System level admin, i.e. Splunk's "root"

The idea is that Users shouldn't be able to change the app, only their view of it. App-Admins can modify basically anything in their app, but should not have any control of Splunk outside of this app. I don't want them to create indexes, inputs, etc. Critically, app-admins need to be able to promote User KOs they deem worthy, from private to app-level sharing.

The app-level admin is not working as intended. KOs created by Users cannot be seen or modified by app admins. Short of giving App-Admin "admin_all_objects" I don't see how to accomplish this. However, my understanding is that setting effectively makes them root.

Is this set-up possible? Any suggestions for alternative plans that effectively mimic the user < app-admin < system-admin design?

0 Karma


The "power" role does much of what you're looking to accomplish.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!