Not sure if this is normal, but I noticed that all Power role users have write access to all lookup files. Is there a capability that i have included that is doing that?
Power Group:
Imports user
capabilities: edit_sourcetypes, embed_report, schedule_search, search_process_config_refresh.
I am looking to make the lookup editor available to users so that they can modify their own lookup tables, but i noticed that power users can edit all lookups including the bundled splunk ones 😮
Try this,
$SPLUNK_HOME/etc/apps/your_app/metadata/default.meta add below lines
[lookups]
export = system
access = read : [ * ], write : [ admin, required_role ]
Try this,
$SPLUNK_HOME/etc/apps/your_app/metadata/default.meta add below lines
[lookups]
export = system
access = read : [ * ], write : [ admin, required_role ]
Ah ok, makes sense, thought maybe I accidentally included a capability. Thanks!