Problem with user roles in Palo Alto app
I have two different roles, both inherited with user privilegies. Roles are: All_logs and Network_logs
Only difference between those roles are that All_logs have Restrict search terms: * and
Network_logs Restrict search terms: index=pan_logs
And the problem is with Palo Alto Networks app, users who belongs to All_logs role, everything is working fine, but users with Network_logs don't see anything with app, but search "index=pan_logs" works fine.
Why app doesn't show information? For example Threat Dashboard gives "Search produced no results" information under dropdown menus, and all panels give "No results found"
1. Yes, logs are actually in the pan_logs index
2. Network_logs can see pan_logs index, search index=pan_logs works fine with this role.
3. I made some changes to roles -> no Restrict search term and available index: pan_logs, and now app works, but this is not the solution I want to use. We have other issues, so we need the use 'Restrict search terms'
Splunk Support answered to me that this is app related question.