My conclusions are :
For the permissions that are positives abilities, you get them all
- the index access from all roles are merging, therefore your user can search index A and index B. (you get most of all)
- for the capabilities, you get them all the enabled ones
- for quotas (search, job, memory...), you get the higher of all.
For the permissions that are restrictive, they all apply.
- the search restrictions are both applied, therefore your hidden final restrictions become ( * AND Properties.auth"="5a004" )
To compare, you can run the search, open the job inspector, and look at the normalized search, you will see all the restrictions applied.
litsearch (Properties.auth "=" 5a004) | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
However, it seems that the role "admin" is special and remove restrictions. (keep in mind that splunk-system-role inherits from admin)
see the same search once you inherit from admin:
normalizedSearch
litsearch * | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
... View more