I want to create a user that can ONLY access Splunk via the REST API and run (potentially only saved) searches.
What are the minimum capabilities needed to login via REST and access saved searches? I know I need rest_properties_get but what is the bare minimum needed to login and search.
It's an old question, but i came though the same issue.
You have to enable "dispatch_rest_to_indexers" for the Role to query also Indexers rest api (like Storage or any other api inside Indexers side).
It does not seem possible at the moment. (Tested on 6.3.3.) A new user, with only a role with no inheritance and no capabilities, can still log into the UI of Splunk.
What you can do is go through the permissions of each and every app (Apps > Manage Apps > "Permissions" on every one "visible") to disable. This won't disable logons to the UI but will render the UI effectively useless.
(Keep in mind that any field extractions and knowledge objects in a visible app will then not be available for you - so keep all knowledge objects in separate, non "visible" Technology Add-ons if you want your API-only user to be able to use them!)
In my environment the user role already had the following rest-related capabilities:
It turned out that this was not enough to allow a user to authenticate, I created a new role and found that just by adding a single capability the user was able to authenticate and use the API: