I want to have the following 3 levels of access:
The idea is that Users shouldn't be able to change the app, only their view of it. App-Admins can modify basically anything in their app, but should not have any control of Splunk outside of this app. I don't want them to create indexes, inputs, etc. Critically, app-admins need to be able to promote User KOs they deem worthy, from private to app-level sharing.
The app-level admin is not working as intended. KOs created by Users cannot be seen or modified by app admins. Short of giving App-Admin "admin_all_objects" I don't see how to accomplish this. However, my understanding is that setting effectively makes them root.
Is this set-up possible? Any suggestions for alternative plans that effectively mimic the user < app-admin < system-admin design?
The "power" role does much of what you're looking to accomplish.
http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Aboutusersandroles#About_roles