Hi... I am not sure if this is true for all. I have been running scripts successfully on v6.2.4 with a generic role without "edit_scripted" capability.

According to the authorize.conf docs, edit_scripted lets you edit scripted inputs.

runshellscript as a search command is not supported: http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Runshellscript

I constructed a role with very few capabilities and could not use runshellscript nor have one of my alerts call a shell script. I added 'edit_scripted' to my pared down role and voila everything started working.

Therefore, I'm guessing that it is a needed capability.

I would love it if someone from Splunk could actually consult the code to answer this question.

perhaps some capabilities are super-sets of editscripted? ie: if you have capability "X" then you don't need "editscripted".

I really wish someone who has access to the splunk code would weigh in here!