Dashboards & Visualizations

How can I create a dashboard with restricted user access?


I would like to have a dashboard which a group of users has a restricted access to. These users should be able to access the dashboard only without any other permissions (such as: running search queries through the browser or any API, accessing the other projects or the objects in there, viewing the settings, viewing the activities, accessing the launcher homepage under …./app/launcher/home, or being able to do anything other than: viewing the dashboard; logging in and out; accessing the account settings to change the own password).

If this is doable, could somebody then guide me through the process to do so? This is what I have done so far:

(1)- A new project has been created.
(2)- A role has been created with:
- Default app = the new app
- Available indexes/ search indexes = the same indexes that the default users have access to.
- Available capabilities = none
(3)- The permissions for the new application have been configured as below:
- Read permission has been granted to the new role.
- “Sharing for config file-only objects” = “All apps”
(4)- The new application has two objects (1 nav and 1 view), and the Read permission on these objects has been given to the new role:
- The nav was configured as below:

<nav color="#65A637">
<view name="Client-dashboard" default='true'/> 
  • The view was configured to show a dashboard with one chart.

    <dashboard hideEdit="true" hideSplunkBar="true" hideAppBar="true"
      <label>Sample Dashboard</label>   
        <description>    Sample Dashboard Description  </description>   <row>
                     <title>Chart title</title>
                       <query> The search query  </query>
                     <option name="charting.chart">pie</option>
                     <option name="height">415</option>
                      <option name="rowNumbers">false</option>
                      <option name="charting.drilldown">none</option>
                     <option name="refresh.link.visible">true</option>
                     <option name="link.openSearch.visible">false</option>
                     <option name="link.openPivot.visible">false</option>
                     <option name="link.inspectSearch.visible">false</option>
                     <option name="link.exportResults.visible">false</option>


If a user has no search capabilities, the dashboard being viewed needs to make use of savedsearches that are configured to run as the owner of the savedsearch, and they need to be specifically called from the dashboard in a certain way.

Inside the dashboard these savedsearches are called with:

<search ref="<savedsearchname>"></search>

The savedsearch needs to be created and configured to run as the owner of the savedsearch, and the owner needs to have permissions to search the data necessary. From savedsearches.conf spec:

dispatchAs = [user|owner]
* When the saved search is dispatched via the "saved/searches/{name}/dispatch"
  endpoint, this setting controls, what user that search is dispatched as.
* This setting is only meaningful for shared saved searches.
* When dispatched as user it will be executed as if the requesting user owned
  the search.
* When dispatched as owner it will be executed as if the owner of the search
  dispatched it no matter what user requested it.
* If the 'force_saved_search_dispatch_as_user' attribute, in the limits.conf
  file, is set to true then the dispatchAs attribute is reset to 'user' while
  the saved search is dispatching.
* Defaults to owner.

Yes, this means that every panel on the dashboard in question needs to fetch its data via a savedsearch.

There is at least some additional detail about this on a previous answers post

0 Karma


Thank you for your answer. I created the savedsearch under "Search & Reporting " application with:
- "Read" permission given to the dashboard role

- "Saved search should appear in = All apps"
- Run as = Owner

In the limits.conf file, the attribute force_saved_search_dispatch_as_user is false.

I tested the dashboard with my Admin account and everything was fine, that means the savedsearch is called correctly inside the dashboard. However, the new role is unable to see the results unless I give it the following capabilities:
- admin_all_objects
- search

Without "admin_all_objects" (even if all other capabilities are assigned), the user gets the message "Could not find object id=MY_SAVE_SEARCH". If the role is given the "admin_all_objects" only (without "search"), the message changes to "Error dispatching saved search".

The only way to have the new role viewing the chart is to assign both capabilities (admin_all_objects, search), which is of course not what I am looking for! It seems that I still have something missing in my setup.

0 Karma

Super Champion

for that specific roles you need to add few capabilities in authorize.conf :-

change_own_password = enabled
export_results_is_visible = enabled
srchIndexesAllowed =_internal

check this if more capability need to include: https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Rolesandcapabilities

for particular dashboard to give read access go to Settings>>User interface » Views and change read permission for particular view which will update local.meta in metadata folder with provided read permission. by default it has read permission for everyone.

0 Karma


Thanks for answering, I did the same and the new role was able to access the dashboard page, however, the chart doesn't appear, just the message "Could not create search" inside the chart area, so I believe something is still missing, would you please help again?

And in general, is it possible to grant the permission only on one dashboard and prevent the user from the following:
1- Running search queries through the browser or any API
2- Accessing the other projects or their objects
3- Accessing the settings, activities, massages
4- Accessing the launcher homepage under …./app/launcher/home

Thanks in advance

0 Karma

Super Champion

to resolve "Could not create search" you need to add indexname in srchIndexesAllowed stanza separated by semicolon :-

srchIndexesAllowed =_internal;anotherindexname
0 Karma


It is already there, the new role has already given an access to the same indexes and search indexes that the default users role has.

0 Karma

Path Finder

Were you ever able to resolve the "Could not create search" issue? I'm trying to use loadjob after giving permissions to view the scheduled report, and getting that error in the panel.

0 Karma

Path Finder

Never mind. I assumed the user already had the power role in addition to the role I was giving them to view the dashboard and underlying savedsearch results. They did not. Once I added the power role it started working.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...