I'm setting up my roles like this:
== Global Roles ==
- Admin Role
- Manager Role
- Users
== App Specific Roles ==
- AppName_R
- AppName_RW
- AppName2_R
- AppName2_RW
... etc ... You get the idea.
I have everything nicely set up for the Admin role and for the app specific roles. All of the app roles inherit from the "users" role and inherit basic permissions from there.
Admin Role is the default admin role that comes with Splunk.
Each app is configured with only three checkboxes checked on the permissions page:
Role Read Write
AppName_R X
AppName_RW X X
Like so.
This works great, since it makes setting permissions for new apps nice and easy, and is obvious to users who can do what.
Admins can automatically read and write to everything, even if permissions aren't explicitly given.
What I'm trying to create for the Manager Role is a user who can automatically read from everything (just like admins), but doesn't have any explicit write permissions.