Restrict Search Terms

zacksoft · ‎05-07-2019

We have some external users, whom we want to be able to see some dashboards we have created.
However, we do not want them to be able to make search on the search-head.

e.g. Dashboard item has a query like host = baloney.pipe source=B_Circuit | some column chart visualization
The users should be able to see the dashboard However if they want to search host = baloney.pipe source=B_Circuit on a search head they shouldn't get any results. (Only dashboard access to view ; No access to make any search on the index/host etc.. through search head)

Would using the 'Restrict Search Terms' option while creating a role help us achieve this functionality ?

ryhluc01 · ‎05-07-2019

Edit what you allow for them to do within the user roles.

zacksoft · ‎05-07-2019

I haven't created any role for them yet. I am still deciding what roles or capabilities will allow them to see the dashboard output but not able to make any query .

koshyk · ‎05-07-2019

There is NO true way to restrict user from accessing data unless it is done at "index" level (ie. role vs index)
If the user is clever, they can tune the Search into URL parameters and get the information even if any restrictions on dashboard is done

somesoni2 · ‎05-07-2019

The "Restrict Search Terms" applies to all searches, include the one launched from dashboards, so that would not work. Have a read at this: (I believe this is still true for current version)
https://answers.splunk.com/answers/487844/limit-user-access-to-view-dashboard-only.html

Restrict Search Terms

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

Restrict Search Terms

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever