I'm trying to figure out how to have a saved search editable by all the people in a role without creating an opportunity for privileged escalation. This led me to ask questions around who a saved search run's as.
How does it work? Is it the owner? If yes, what if no owner is specified?
I think I would like it to be something like specify a role that it runs as. Is something like that doable?
The saved searches run as the user who owns it. If no owner is specified (No owner is shown in UI or nobody in .meta files), it runs as splunk-system-user account. If you want searches to run as a role, you need to create a user (can keep the same name as the role) having that role and change the owner of the search with that role (by updating owner property in local.meta file).
NEW FEATURE UPDATE! See documentation here:
5. (Optional) Determine whether the search should run as Owner or run as User. This setting determines whether the search runs with the permissions of the search Owner (the person who defined the search) or the permissions of the search User (the person who is running the search). Reports run as Owner by default.
For a detailed explanation of why this setting is significant and how it works, see "Running reports as the report owner or report user," in this topic.