This isn't a question on how to set the permissions, but more on why they are the way they are.
Every object in Splunk (saved search, a view xml, an app, etc) has it's own permissions. I can go into the Manager view, find the object, click "Permissions", and check off who can do what with it.
This isn't the case with indexes however.
I'd like some correction if I'm wrong, but my understanding is that if you want to create an index that can only be readable by a certain role, I have to edit the bottom "Indexes" section on the Role's edit page.
This becomes particularly annoying, since if you want to have 10 all-access indexes, but only one that's restricted to a specific group, you have to edit all of the existing roles' index permissions, specifically list all of the existing indexes minus the one restricted one, and then edit the role for the restricted one and add that there.
Is there a technical reason why they were permissioned out this way, instead of how every other object is?
EDIT: I'd also like to add that this permission layout makes it very difficult to audit who has access to what indexes.
... View more