We have some external users, whom we want to be able to see some dashboards we have created.
However, we do not want them to be able to make search on the search-head.
e.g. Dashboard item has a query like host = baloney.pipe source=B_Circuit | some column chart visualization
The users should be able to see the dashboard However if they want to search host = baloney.pipe source=B_Circuit on a search head they shouldn't get any results. (Only dashboard access to view ; No access to make any search on the index/host etc.. through search head)
Would using the 'Restrict Search Terms' option while creating a role help us achieve this functionality ?
Edit what you allow for them to do within the user roles.
I haven't created any role for them yet. I am still deciding what roles or capabilities will allow them to see the dashboard output but not able to make any query .
There is NO true way to restrict user from accessing data unless it is done at "index" level (ie. role vs index)
If the user is clever, they can tune the Search into URL parameters and get the information even if any restrictions on dashboard is done
The "Restrict Search Terms" applies to all searches, include the one launched from dashboards, so that would not work. Have a read at this: (I believe this is still true for current version)
https://answers.splunk.com/answers/487844/limit-user-access-to-view-dashboard-only.html