https://community.splunk.com/t5/Security/Splunk-User-search-limit/m-p/467695#M11780 <P>Is it possible to restrict some of the user/roles from running searches for all time ?</P> Mon, 17 Feb 2020 11:47:57 GMT spl_unker 2020-02-17T11:47:57Z https://community.splunk.com/t5/Security/Splunk-User-search-limit/m-p/467695#M11780 <P>Is it possible to restrict some of the user/roles from running searches for all time ?</P> Mon, 17 Feb 2020 11:47:57 GMT https://community.splunk.com/t5/Security/Splunk-User-search-limit/m-p/467695#M11780 spl_unker 2020-02-17T11:47:57Z https://community.splunk.com/t5/Security/Splunk-User-search-limit/m-p/467696#M11781 <P>Yes, </P> <P>You can create a new role and configure this new role with a restriction.</P> <P>From the authorize.conf docs:</P> <PRE><CODE>srchTimeWin = &lt;number&gt; * Maximum time span of a search, in seconds. * This time window limit is applied backwards from the latest time specified in a search. * By default, searches are not limited to any specific time window. * To override any search time windows from imported roles, set this to '0' (infinite), as the 'admin' role does. * -1 is a special value that implies no search window has been set for this role * This is equivalent to not setting srchTimeWin at all, which means it can be easily overridden by an imported role </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities</A></P> Mon, 17 Feb 2020 11:57:31 GMT https://community.splunk.com/t5/Security/Splunk-User-search-limit/m-p/467696#M11781 nickhills 2020-02-17T11:57:31Z https://community.splunk.com/t5/Security/Splunk-User-search-limit/m-p/467697#M11782 <P>Thank you @nickhillscpl it worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 17 Feb 2020 14:04:16 GMT https://community.splunk.com/t5/Security/Splunk-User-search-limit/m-p/467697#M11782 spl_unker 2020-02-17T14:04:16Z