https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462285#M10802 <P>This probably came from me. I talk a lot about the concept of using apps as Workspaces. The premise is that as the user base of Splunk grows, you would do well to give each group their own app, or Workspace, to work in. This makes the S&amp;R not so cluttered, promotes collaboration with the intimate environment, and constrains the impact of knowledge objects to those working in the workspace.</P> <P>See <A href="https://docs.splunk.com/Documentation/CoE/ssf/Handbook/Workspace">Workspace best practices for a Splunk deployment</A> for more information and a link to the Welcome Page Creator for Splunk on Splunkbase which comes with a barebones workspace template.</P> Wed, 25 Sep 2019 18:21:38 GMT sloshburch 2019-09-25T18:21:38Z https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462282#M10799 <P>Noob here. </P> <P>I thought I read somewhere that you should not give users access to the default Search and Reporting App. This should be for Admins only. </P> <P>Instead, you should create a custom app and secure their access by roles and or indexes with the custom app. <BR /> Is this correct, And if so, is this documented anywhere?</P> <P>I mentioned this to a consultant and was told that he was not familiar with this. So I’m wondering if I misunderstood what I read. <BR /> And unfortunately I have been not been to find the original document that started me down this path. </P> <P>Thanks in advance for your replies.</P> Tue, 27 Aug 2019 01:39:07 GMT https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462282#M10799 kwkkarl 2019-08-27T01:39:07Z https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462283#M10800 <P>I heard of sites blocking access to the S&amp;R app, but nothing says you <EM>should</EM> do it.</P> <P>S&amp;R is blocked to prevent the real-time search that runs to populate the "What to Search" panel. In a system with a lot of users, all those real-time searches can tie up a lot of resources. A custom app is usually used as the default app to replace S&amp;R.</P> Tue, 27 Aug 2019 01:54:32 GMT https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462283#M10800 richgalloway 2019-08-27T01:54:32Z https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462284#M10801 <P>I wouldn't go so far as to disallow access to S&amp;R but I totally agree that every group of users should have their own creative app where they should do all of their work so that it can be managed separately.</P> Sun, 01 Sep 2019 21:00:55 GMT https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462284#M10801 woodcock 2019-09-01T21:00:55Z https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462285#M10802 <P>This probably came from me. I talk a lot about the concept of using apps as Workspaces. The premise is that as the user base of Splunk grows, you would do well to give each group their own app, or Workspace, to work in. This makes the S&amp;R not so cluttered, promotes collaboration with the intimate environment, and constrains the impact of knowledge objects to those working in the workspace.</P> <P>See <A href="https://docs.splunk.com/Documentation/CoE/ssf/Handbook/Workspace">Workspace best practices for a Splunk deployment</A> for more information and a link to the Welcome Page Creator for Splunk on Splunkbase which comes with a barebones workspace template.</P> Wed, 25 Sep 2019 18:21:38 GMT https://community.splunk.com/t5/Reporting/Security-Best-Practices-and-the-default-Search-Reporting-App/m-p/462285#M10802 sloshburch 2019-09-25T18:21:38Z