I am attempting to allow for a more granular access to our indexes, i have been attempting to remove the use of the default admin,power,user roles. (which include all non-internal splunk indexes)
The new idea is to have the capabilities of the default roles added into new roles or capabilities groups, with no ability to view indexes associated to them.
In addition various view roles have been created with no capabilities, they only include access to view indexes adding groups of indexes in a single role, or allowing for a specific user to access 1 index.
view-base security clearance
The issue i have encountered is when assigning a new role with capabilities-user, which i have created with slighty more restricted capabilities then the normal user role, my new role (capabilities-user) is unable to edit the permissions on the saved searches it creates.
I have seen some sites mention not to edit/modify the base user roles, and i wanted to know if it is safe to remove the view all non-internal indexes from the default roles.
My tests showed that if i inherit the base user role to my newer modular role , ex. capabilities-user would inherit user, this allows the users of new role to once again edit the permissions of their saved searches.
What is unique about the default "user" role and why are the abilities to edit your own report permissions not included in the capabilities-user i have created, is their a way to get this functionality without inheriting the default roles?
I have managed to get the newly created capabilities roles functioning as expected. the missing component was going into the search application and granting the new roles write access to the application. I am still in the process of searching for documentation outlining the potential impact of allowing write access to an app.