The basic concept of inherited roles is that we can define a "basic user role" which give users access to the minimum capabilities and properties values needed to use Splunk. Additional roles can be then created that can ADD additional capabilities or INCREASE property values.
I believe there are three rules to consider
- role inheritance is cumulative (ie if role_2 inherits from role_1, and role_3 inherits from role_2 only, role_2 inherits ALL the capabilities from role_2 AND role_1.
- if a capability has been granted in a role (say role_1), it cannot be revoked by any subsequent role that inherits role_1
- if a property value has been set in a role (say role_1), it can only be INCREASED by any subsequent role that inherits role_1. It cannot be DECREASED
So if we treat any capability as a binary (true / granted = 1 , false / denied = 0) then our basic logic is that the highest value for a capability or property wins, regardless of if that value is set in the current role or the inherited role.
So to finally answer your questions: 🙂
Scenario 1:
role_4 then has
capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled, and
properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.
Scenario 2A:
role_3 has
- capabilities cA=enabled, cB=enabled, cC=enabled, cD=enabled.
This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- capabilities are inherited recursively;
Scenario 2B:
role_3 has
- properties pA=100, pB=200 (from role_2, because 200>100), pC=100 (from role_1, because 100>1), pD=100.
This would be identical to role_3 importing both, role_1 and role_2.
I.e.:
- properties are inherited recursively, taking the highest value for a property defined in more than one role within the inheritance chain.
... View more