topic Re: Prevent users from creating private searches in Splunk Search

Prevent users from creating private searches

jthunnissen — Wed, 16 Jan 2019 14:32:37 GMT

Is there a way to not allow users to create private searches (and other knowledge objects) in an app?

Re: Prevent users from creating private searches

dkeck — Thu, 17 Jan 2019 06:46:10 GMT

HI,

why are you trying to do this? Knowledge objects are going to be saved from whatever app context the user is within when they are created.

If you want to force user to save KO within a certain app context, you could create deparment apps and new roles with this apps as default.

By default only Power user and Admin have write permission the Searching&Reporting app, so any user will have private objects.

Re: Prevent users from creating private searches

jthunnissen — Thu, 17 Jan 2019 08:18:49 GMT

Do you mean I can set a default app for all users, where all private KO's are automatically saved? This would be a workable solution for my problem. How would one do this?

The reason I want this is rather complex. Suffice it to say that it is important for me that all KO's that are necessary for the functionality of an app (such as saved searches that fill lookups and summary indexes) are within the app directory; not in etc/users/apps/*.

Re: Prevent users from creating private searches

dkeck — Thu, 17 Jan 2019 08:24:55 GMT

Hi,

this is how you set app as default app https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/ConfigureSplunktoopeninanapp

Just create new role e.g. "security team", create a new app in splunk web with barebone temple an name it "security team" than go back to your new security team role and set as default app "security team" app.

Re: Prevent users from creating private searches

jthunnissen — Thu, 17 Jan 2019 10:07:34 GMT

This does not seem to work. It sets the default app shown upon login, but if I for example save a search from the Launcher app with a user whose default app is Search, the report is still saved as a private search within the Launcher app, not the Search app.

Re: Prevent users from creating private searches

dkeck — Thu, 17 Jan 2019 10:11:44 GMT

Thats correct, its not "preventing" the user BUT its "help" the user to start off in the correct app/context. The rest would be education of the user and tell them not to save staff outside there team app.

Re: Prevent users from creating private searches

dkeck — Thu, 17 Jan 2019 10:27:46 GMT

You could also eddit the permissions for search and launcher app from everyone to admin only, and the user is not able to leave the team app

Re: Prevent users from creating private searches

nikita_p — Thu, 17 Jan 2019 10:58:41 GMT

Hi,
I dont think it is possible to restrict the user from creating their own private search however, you can restrict ability to write to the search app by disabling write permissions in the app.

UI > manage apps > search & reporting > permissions> remove write capabilities for roles as desired.

Re: Prevent users from creating private searches

jthunnissen — Thu, 17 Jan 2019 11:17:05 GMT

Ik do not want to restrict users from viewing most apps, just prevent them (and even the app developers) from saving private KO's in them.

Re: Prevent users from creating private searches

dkeck — Thu, 17 Jan 2019 11:50:34 GMT

KO are private shared as default, so I can´t think about an easy way to get there..

maybe something custom.