Hey Patrick,
Further checking, found that "removable" is not a property that can be set, this is what the permissions are on the object for the user doing the call. they are calculated based on the sharing permissions (ACLs) of the app/category/object.
"removable" is set based on the config it is coming from default or local.
That means, if you have a saved search saved in a default directory/location, then the "removable" is set to 0 and for the saved search in local directory it is set to 1.
You can run the below search on your search head for the respective saved searches to find out what the removable property has been set to.
SPL:
| rest /servicesNS/admin/search/saved/searches/ | table id eai*
Check for "eai:acl.removable" property in the saved search and verify from which location the saved search is saved.
The default ones will have removable=0, the local ones 1. And this is not a property you can set, it’s just the system letting you know what you can do to that object
i.e. If you want a search to not be removable. it needs to be in a default folder rather than a local folder.
However, you can change permissions to make a user not be able to remove an object, sure, but you won’t be changing “removable” directly, instead you would be changing the write permission on the container for that user/role as that controls whether a user can delete things inside that container.
REF:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Disableordeleteknowledgeobjects
Hope the above helps!
... View more