I'm using Splunk 6.4.2.
I have created a delegated admin role with one user (say d_admin for instance).
Here is its definition, as given by the cli:
role: delegated_admin capabilities: edit_roles_grantable edit_user rest_apps_view rest_properties_get default app: grantable_roles: dashboard_designer;dashboard_viewer imported_capabilities: imported_roles: searchable_indexes: default_index:
dashboard_designer and dashboard_viewer are nothing special, I just use them to define permissions on apps and dashboards.
Now, when I log into d_admin and create a new role (e.g new_role), I can see and manage it just as if it was in the grantable_roles list, but it is not.
I am not at liberty to test if that survives a cold reboot.
My question is the following: Is that a undocumented feature that I can rely on or is that some sort of bug that will bite me if I trust it?
Regards!
it should sustain a reboot. The only way it won't is if you're controlling your permissions through a deployment server, and editing the authorization.conf locally on a search head in an app. If you're editing /etc/system/local, you should be fine, or if that's where it lives.