https://community.splunk.com/t5/Security/View-only-User/m-p/555715#M12317 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232788">@florianhh</a>&nbsp;</P><P>One way to control is having searchFilter and allow only indexes that you want this person to see at app level.</P><P>Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.</P><LI-CODE lang="markup">#authorize.conf should be deployed to Search head ## Same can be accomplished in UI [role_ninja] importRoles = user srchFilter = host=foo srchIndexesAllowed = index1</LI-CODE><P>---</P><P>An upvote would be appreciated if it helps!</P> Tue, 15 Jun 2021 05:13:15 GMT venkatasri 2021-06-15T05:13:15Z https://community.splunk.com/t5/Security/View-only-User/m-p/555666#M12315 <P>Hello Splunkys,</P><P>i read this post&nbsp;<A href="https://community.splunk.com/t5/Archive/Limit-user-access-to-view-dashboard-only/m-p/224070#M31471" target="_self">Link</A>&nbsp;on the Splunk Forum.&nbsp;</P><P>I created a App and it only contains 1 dashboard. I create a user that has only access to this app.</P><P>But you can't disable the users permission to view the search app.</P><P>If you do that you get a 500 error after logging in.&nbsp;</P><P>If you dont do it and allow view for the search app then it works but then the user is able to search more.</P><P>Also Basically every think in Splunk that is clickable at that point will prompt you with a 500 internal server error page. Thats not cool.</P><P>We need a Role for Helpdesk personal that shows something but we do not want that these persons can lookup some spl and spy on employee's.</P> Mon, 14 Jun 2021 14:21:01 GMT https://community.splunk.com/t5/Security/View-only-User/m-p/555666#M12315 florianhh 2021-06-14T14:21:01Z https://community.splunk.com/t5/Security/View-only-User/m-p/555715#M12317 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232788">@florianhh</a>&nbsp;</P><P>One way to control is having searchFilter and allow only indexes that you want this person to see at app level.</P><P>Having said that that's the app scope, if the same user having other roles assigned which has wider access then you can not control it then you should reach to your Splunk admin.</P><LI-CODE lang="markup">#authorize.conf should be deployed to Search head ## Same can be accomplished in UI [role_ninja] importRoles = user srchFilter = host=foo srchIndexesAllowed = index1</LI-CODE><P>---</P><P>An upvote would be appreciated if it helps!</P> Tue, 15 Jun 2021 05:13:15 GMT https://community.splunk.com/t5/Security/View-only-User/m-p/555715#M12317 venkatasri 2021-06-15T05:13:15Z https://community.splunk.com/t5/Security/View-only-User/m-p/555734#M12318 <P>Thank you !</P><P>I've tried that from the WebUI but it did not work.</P><P>I now did it trough&nbsp; the .conf file as you suggested and now it works.</P><P>Oddly now the webUI Shows (EventCode::4740)&nbsp; as filter.&nbsp; Why is that odd format with :: ?</P> Tue, 15 Jun 2021 07:32:48 GMT https://community.splunk.com/t5/Security/View-only-User/m-p/555734#M12318 florianhh 2021-06-15T07:32:48Z https://community.splunk.com/t5/Security/View-only-User/m-p/555881#M12323 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232788">@florianhh</a>&nbsp;</P><P>:: is used for indexed fields preferred by Splunk. Otherwise EventCode=1234 OR&nbsp;EventCode::1234 both are same. If EventCode is not an indexed field with :: you won't get any results. It's always better to search in UI first and add it to search filter.</P><P>--</P><P>An upvote would be appreciated if it helps!</P> Wed, 16 Jun 2021 00:06:32 GMT https://community.splunk.com/t5/Security/View-only-User/m-p/555881#M12323 venkatasri 2021-06-16T00:06:32Z