A customer would like to remove the output_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users?
A customer would like to remove the output_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users?
The best way to remove the output_file capability from users is to clone the default user role, remove the output_file capability from this cloned role, and then assign the new role to the users. This avoids directly modifying the default user role, which is a best practice. Creating a new role that inherits from the default user role (as suggested in option A) would not work because the new role would still retain the inherited capabilities, including output_file. Therefore, cloning the role ensures that you can configure the new role precisely as needed without impacting the integrity of the default roles.
D is correct. If new role will inherit user role, user role will have the capabilities from user role, you cannot remove it from new role but if you clone it, it would be possible.
D is correct
A is correct NEVER edit a default role
I agree to never edit a default role but the answer is D. If a role inherits another role, it gets its capabilities as well, which in this case we do not desire.
I think the answer is A because if you upgrade Splunk, they will make some modifications to the original role. So, it's better to create a new role with inherits properties from the original one and make your customs modifications.
but answer A inherits the default user role, hence it will still have the output_file capability. With D you are Cloning the role, then editing the new role you created. I think the answer is D.
Ref: CI Notes p.116 Roles cannot remove capabilities when they inherit them from another role! "C" is a possible option which will work, but it's not a best practice. Page 118 states "One quick fix is to adjust the default “user” role to take away the *** setting", but that's a quick and dirty fix, which will remove this capability globally from all users... The best option is "D", but it's better to set the output_file capability to "disabled" rather than removing it. I'm not sure what the default behavior will be like when the capability is removed and not set to disabled.