I am attempting to allow for a more granular access to our indexes, i have been attempting to remove the use of the default admin,power,user roles. (which include all non-internal splunk indexes)
The new idea is to have the capabilities of the default roles added into new roles or capabilities groups, with no ability to view indexes associated to them.
capabilities-user
capabilities-power
capabilities-admin
In addition various view roles have been created with no capabilities, they only include access to view indexes adding groups of indexes in a single role, or allowing for a specific user to access 1 index.
view-base hire
view-base security clearance
view-index 5
The issue i have encountered is when assigning a new role with capabilities-user, which i have created with slighty more restricted capabilities then the normal user role, my new role (capabilities-user) is unable to edit the permissions on the saved searches it creates.
I have seen some sites mention not to edit/modify the base user roles, and i wanted to know if it is safe to remove the view all non-internal indexes from the default roles.
My tests showed that if i inherit the base user role to my newer modular role , ex. capabilities-user would inherit user, this allows the users of new role to once again edit the permissions of their saved searches.
What is unique about the default "user" role and why are the abilities to edit your own report permissions not included in the capabilities-user i have created, is their a way to get this functionality without inheriting the default roles?
... View more