Hi there.

There is one thing that's not obvious for me.

I understand that if I create a non-accelerated datamodel, the searches from datamodel are converted on the fly to searches on the underlying data and therefore the permissions for the user performing the search should be applied correctly, right?

But how about accelerated ones? There are summaries created by "system" user. Does splunk check permission to datamodel summaries the same way as it does to raw indexes?

Let's assume I have your typical CIM datamodel Network Sessions. I have a macro cm_Network_Sessions_Indexes defined as "index=internal_juniper OR index=external_cisco". So the CIM Network Sessions datamodel is being created upon events held in two separate indexes (let's say I have two different teams maintaining those two device classes).

Now if this datamodel was not accelerated, I assume that my juniper admin preforming a search on it would get only sessions from internal_juniper index and vice versa - cisco admin would get only session from ciscos.

But what happens when I turn on the acceleration? Will it still work this way? Or will all admins get to see all sessions because they are retrieved from the accelerated summaries, not the underlying indexes?