I have a user that just needs to view a particular dashboard when logging into Splunk. I do not want him to have access to anything else, just the dashboard by default so that he can view and export panel metrics as needed. Is it possible to lock Splunk down this tight for a user? If so, how?
you can restrict access using the share properties, in other words, you have to create a role that has grants access only on the dashboard you want and its app and its knowledge objects (fields, tags, eventtypes, etc...) and its indexes.
Then you can define a default app for this role, in tis way, when the user accesses to Splunk he's directly redirected to the App containing the dashboard.
Obviously the dashboard must have some specs:
Dashboard access controls can be done only for splunk roles. So you need to create a separate role for this user with some basic capabilities to access dashboard. And also map user's LDAP/SAML group name to this role in authentication.conf.
[role_new_user_role] srchIndexesAllowed = <INDEXES_THIS_ROLE_CAN_ACCESS> export_results_is_visible = enabled get_metadata = enabled get_typeahead = enabled list_inputs = enabled rest_apps_view = enabled rest_properties_get = enabled search = enabled
Once role is added you can edit dashboard permissions to provide read permissions to to this role.