I am creating a script that uses the CLI to create/delete Splunk roles. So far, I have been successful with creating them in the script when I use the admin user.

However, my CISO says that I can't use the Splunk admin user and I need to create a Splunk User (and a Splunk Role) that can create and delete indexes.

I have tried adding the indexes_edit capability and when I tried doing the delete as my user, Splunk said that I needed to have the list_inputs capability. i have also tried adding access to all indexes.

I am using this document at the moment for my guidance, but it is rather light on detail:

https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

The command that i am running is:

curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/admin/myapp/data/indexes -d name=newindex

I get the following:

<response>
  <messages>
    <msg type="ERROR">Action forbidden.</msg>
  </messages>
</response>

This command succeeds if I use the admin user, but not with my editor user.

The current capabilities that I have to my existing editor role are:

[role_editor]

admin_all_objects = disabled

edit_roles = enabled

indexes_edit = enabled

list_inputs = enabled

srchIndexesAllowed = *

srchMaxTime = 8640000

srchTimeEarliest = -1

srchTimeWin = -1

Does anyone know what extra capabilities I need, please?