I want to have the following 3 levels of access:
User: "Belongs" to an app; can create private objects only; cannot schedule
App-Admin: "Belongs" to an app; can share objects to app level so other users can see/use them; can schedule
Admin: System level admin, i.e. Splunk's "root"
The idea is that Users shouldn't be able to change the app, only their view of it. App-Admins can modify basically anything in their app, but should not have any control of Splunk outside of this app. I don't want them to create indexes, inputs, etc. Critically, app-admins need to be able to promote User KOs they deem worthy, from private to app-level sharing.
The app-level admin is not working as intended. KOs created by Users cannot be seen or modified by app admins. Short of giving App-Admin "admin_all_objects" I don't see how to accomplish this. However, my understanding is that setting effectively makes them root.
Is this set-up possible? Any suggestions for alternative plans that effectively mimic the user < app-admin < system-admin design?
... View more