Splunk: Do new roles become grantable roles by default?

1.1k views Asked by At

I'm using Splunk 6.4.2.

I have created a delegated admin role with one user (say d_admin for instance). Here is its definition, as given by the cli:

role:       delegated_admin
capabilities:           edit_roles_grantable edit_user rest_apps_view rest_properties_get 
default app:        
grantable_roles:            dashboard_designer;dashboard_viewer 
imported_capabilities:          
imported_roles:         
searchable_indexes:         
default_index:          

dashboard_designer and dashboard_viewer are nothing special, I just use them to define permissions on apps and dashboards.

Now, when I log into d_admin and create a new role (e.g new_role), I can see and manage it just as if it was in the grantable_roles list, but it is not. I am not at liberty to test if that survives a cold reboot.

My question is the following: Is that a undocumented feature that I can rely on or is that some sort of bug that will bite me if I trust it?

Regards!

1

There are 1 answers

0
theGlitchKing On

it should sustain a reboot. The only way it won't is if you're controlling your permissions through a deployment server, and editing the authorization.conf locally on a search head in an app. If you're editing /etc/system/local, you should be fine, or if that's where it lives.