I see capabilities in Splunk are defined in the authorize.conf. For security reason, i want to disable the delete by keyword capabilities in Splunk so no user could delete any data in splunk.
Could I just delete the line which define capabilities and all roles related to it.
I just tried this out myself. Just comment out this line in $SPLUNK_HOME/etc/system/default/authorize.conf and restart Splunk.
# [capability::delete_by_keyword]
The capability will no longer exist for the can_delete role, and you won't be able to assign it to any other role in the Splunk UI.