Expanding on our recommended model to manage users and roles, we suggest that you manage index access within the roles associated Logical User Groups level instead of within the Splunk User and Power roles.
Remove all index access from the Splunk User and Power roles. For the built-in Splunk User and Power roles remove all indexes in the ‘Indexes searched by default’ and ‘Indexes’ tabs near the bottom of the Access Controls -> Roles dashboard.
Assign the necessary indexes to the Splunk role associated with each Logical User Group. If you find that different users within a Logical User Group require access to different indexes, you have two options, depending on your level of openness.
If you are comfortable with users accessing more data than is required, assign all necessary indexes to the role associated with the Logical User Group.
If you require more granularity create multiple overlay roles, each containing the minimum required indexes. The overlay roles will be assigned to the subset of users that require access to specific indexes.
Alternatively, we work with a few Splunk users who have assigned an individual Splunk role to each index and then leveraged their Identity Management Solution, such as Sail Point, to assign index access to each user. While we do not believe there is a technical advantage to this approach, your Identity Management Solution will provide auditing and reporting that isn’t available in Splunk.