https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399389#M172984 <P>Hello, </P> <P>I have a saved search, running each day with the following output</P> <BLOCKQUOTE> <P>Computer_Name |&nbsp;DPT | Install_status | Patch_ID</P> </BLOCKQUOTE> <P>I have a dashboard in with a panel like this:</P> <PRE><CODE>&lt;panel&gt; &lt;title&gt;Windows Patch Management&lt;/title&gt; &lt;single&gt; &lt;title&gt;Windows computers&lt;/title&gt; &lt;search&gt; &lt;query&gt;| loadjob savedsearch="MyUser:MyApp:WindowsPatches" | search $DPT$ | stats dc(Computer_Name)&lt;/query&gt; &lt;earliest&gt;-30d@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;/single&gt; &lt;/panel&gt; </CODE></PRE> <P>I'm facing a little issue here, I can filter using a dropdown, that's the "| search $DPT$ " where $DPT$ is a dropdown of Departments with the following Token value prefix : </P> <UL> <LI>DPT="</LI> </UL> <P>and the following Token value sufix </P> <UL> <LI>"</LI> </UL> <P>But I would like to reuse the "restricted search terms" of the user which is, for exemple : DPT="IT" in order to really restrict and not only visually. I didn't find a topic on how to retrieve this specific field, any ideas ?</P> <P>Regards,</P> Tue, 29 Sep 2020 23:21:48 GMT mdtrandco 2020-09-29T23:21:48Z https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399389#M172984 <P>Hello, </P> <P>I have a saved search, running each day with the following output</P> <BLOCKQUOTE> <P>Computer_Name |&nbsp;DPT | Install_status | Patch_ID</P> </BLOCKQUOTE> <P>I have a dashboard in with a panel like this:</P> <PRE><CODE>&lt;panel&gt; &lt;title&gt;Windows Patch Management&lt;/title&gt; &lt;single&gt; &lt;title&gt;Windows computers&lt;/title&gt; &lt;search&gt; &lt;query&gt;| loadjob savedsearch="MyUser:MyApp:WindowsPatches" | search $DPT$ | stats dc(Computer_Name)&lt;/query&gt; &lt;earliest&gt;-30d@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;/single&gt; &lt;/panel&gt; </CODE></PRE> <P>I'm facing a little issue here, I can filter using a dropdown, that's the "| search $DPT$ " where $DPT$ is a dropdown of Departments with the following Token value prefix : </P> <UL> <LI>DPT="</LI> </UL> <P>and the following Token value sufix </P> <UL> <LI>"</LI> </UL> <P>But I would like to reuse the "restricted search terms" of the user which is, for exemple : DPT="IT" in order to really restrict and not only visually. I didn't find a topic on how to retrieve this specific field, any ideas ?</P> <P>Regards,</P> Tue, 29 Sep 2020 23:21:48 GMT https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399389#M172984 mdtrandco 2020-09-29T23:21:48Z https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399390#M172985 <P>Do not use those search restrictions using search-time fields if the application is security-relevant, they're easily bypassed.<BR /> Similarly, do not use dashboard-based restrictions as those are under the control of the user's browser, and thereby easily bypassed as well.</P> <P>If it's just a convenience case with no security implications you can use the currently logged in user's context via <CODE>|rest</CODE> to load its roles and associated search filters.</P> Sun, 17 Feb 2019 16:36:36 GMT https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399390#M172985 martin_mueller 2019-02-17T16:36:36Z https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399391#M172986 <P>Hi Martin, </P> <P>Thanks for your answer. If I have security in mind, what are the function I should look into ?</P> <P>Regards,</P> Sun, 17 Feb 2019 17:08:25 GMT https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399391#M172986 mdtrandco 2019-02-17T17:08:25Z https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399392#M172987 <P>Index permissions per role and saved searches running as owner for indexes the users should not have full access to.</P> Sun, 17 Feb 2019 17:45:49 GMT https://community.splunk.com/t5/Splunk-Search/Use-the-quot-restricted-search-terms-quot-of-a-role-to-filter-a/m-p/399392#M172987 martin_mueller 2019-02-17T17:45:49Z