Splunk Enterprise Security Certified Analyst — Question 5

A customer would like to remove the output_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users?

Answer options

• A. Create a new role without the output_file capability that inherits the default user role and assign it to the users.
• B. Create a new role with the output_file capability that inherits the default user role and assign it to the users.
• C. Edit the default user role and remove the output_file capability.
• D. Clone the default user role, remove the output_file capability, and assign it to the users.

Correct answer: D

Explanation

The correct answer is D because cloning the default user role allows you to modify the new role without affecting the original. This approach lets you remove the output_file capability while maintaining the other permissions of the default user role. Options A and B do not address the requirement of removing the capability effectively, and option C alters the default role, which is not advisable for managing user permissions.