I have knowledge objects in my custom apps which are created & managed in /default by manually uploading to splunkcloud and installing. this causes me a couple of problems :
1. even though they have write perms in default.meta for sc_admin only, users with other roles can change the knowledge objects through the ui - for example they can disable a savedsearch. presumably this creates a new copy in /local which means that my perms from default.meta no longer apply because new perms are written in local.meta. am i correct in my assessment, and if so what is the point of write perms?
2. once the user has created a /local copy of the savedsearch by changing or disabling it, there is a lock or conflict situation.... the ui /local version always gets precedence, and because there is also a version in /default i can no longer see a delete option for the ui version. so i am stuck with the ui version forever. in other words, the person with zero perms wins over the sc_admin.
The only ways I have found to get out of this situation are (a) ask splunk cloudops to delete the files from /local, which takes 3 days, or (b) to rename all of the savedsearches in /default, upload and install the app, manually delete the versions that the user created in the ui, name the /default versions back again, and upload / install the app a 2nd time.
Am i missing something in terms of a better way to rectify things when this happens and why this might be the correct splunk behaviour?