I have a search head cluster and have created a custom role (authorize.conf), which has been deployed to each SH through a custom app.
I added a user "xyz" to only one SH so that the user only uses a particular SH. Everything seems fine except that the user is not able to see all the saved search results.
Error message when I use loadjob command:
Error in 'SearchOperator:loadjob': error accessing https://127.0.0.1:8089/services/search/jobs/scheduler__admin__search__RMD5fc0cc9974bfd0925_at_145320..., statusCode=403, description=Forbidden
However, when I added the user to all the SHs, there were no errors.
My question is, did the issue happen because of not adding the user to all SHs, or because of a capability issue in authorize.conf?
Thanks
Ishaan
In a search head cluster, if you are using local splunk authentication, then the users should be created separately on each member. The user on a search head is local to that node and its same as with the objects created by the user unless the user has admin privileges.
It's always advisable to configure a central user base/authentication system like LDAP in a search head cluster.
http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/AdduserstotheSHC