How to set-up permissions for "app level" admins?

twinspop · ‎09-30-2016

I want to have the following 3 levels of access:

User: "Belongs" to an app; can create private objects only; cannot schedule
App-Admin: "Belongs" to an app; can share objects to app level so other users can see/use them; can schedule
Admin: System level admin, i.e. Splunk's "root"

The idea is that Users shouldn't be able to change the app, only their view of it. App-Admins can modify basically anything in their app, but should not have any control of Splunk outside of this app. I don't want them to create indexes, inputs, etc. Critically, app-admins need to be able to promote User KOs they deem worthy, from private to app-level sharing.

The app-level admin is not working as intended. KOs created by Users cannot be seen or modified by app admins. Short of giving App-Admin "admin_all_objects" I don't see how to accomplish this. However, my understanding is that setting effectively makes them root.

Is this set-up possible? Any suggestions for alternative plans that effectively mimic the user < app-admin < system-admin design?

jimodonald · ‎09-30-2016

The "power" role does much of what you're looking to accomplish.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Aboutusersandroles#About_roles

How to set-up permissions for "app level" admins?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases