How do I fix this 403 error I got after updating a saved search permission by using ACL REST API?


Hi, I'm new in Splunk alerting and I met a problem on changing alert permission by using ACL REST API. 

I'm writing a script to help me create Splunk alerts through REST API, and I use the saved/searches endpoint to create a new alert and the everything goes well, the alert is created successfully.

Then I add `{alert_name}/acl` into the url and attempt to update the alert's permission which I have created before.  But I receive an 403 error tell me "You do not have permission to change the owner of this object".



<?xml version="1.0" encoding="UTF-8"?>
    <msg type="ERROR">You do not have permission to change the owner of this object.</msg>



More confused is I can change the permission on Splunk Web GUI, I can see the "edit permission" button for this alert. BTW, my account doesn't have the admin role.


I have no ideas on this problem and I don't know whether it related to account role or any capability. Does anyone encountered the same problem? Need your help and much appreciate!

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...