Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you change permissions on an executed savedsearch?

nick405060
Motivator
‎11-08-2019 12:17 PM

I have a dashboard that loadjobs a scheduled savedsearch. I needed to grant dashboard access to a new role, so I added permissions for that role both to the dashboard and to the savedsearch. But I got a Error in 'SearchOperator:loadjob': Permission denied. Cannot access artifacts of job_id message when I accessed the dashboard as that role. I forced the savedsearch to run again ahead of schedule and it fixed the error. Does changing permissions on a savedsearch really not affect permissions for the actual past jobs ran?

Is there a way to do this without manually rerunning to force the permissions change?

I confirmed that a reboot still does not propagate the new permissions down to the formerly ran jobs.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-08-2019 12:43 PM

The easiest way to do this is to click on Activity -> Jobs, then search for your job and click on the right-turn arrow icon that is the Share function. This will pop open a dialog that says something like TTL extended to 7 days and permissions changed to global.

Reply

nick405060
Motivator
‎11-11-2019 04:55 PM

But if it's a scheduled search, not one that you just manually executed, then you don't have the option to click any right-turn arrow

0 Karma
Reply

woodcock
Esteemed Legend
‎11-11-2019 05:10 PM

Scheduled searches should show, but by default, the artifacts are reaped in 1 hour, so most executed searches don't hang around for long.

0 Karma
Reply

nick405060
Motivator
‎11-11-2019 05:17 PM

Got it. This will work for my use case, but still isn't a solution if you wanted to apply changed permissions on a scheduled savedsearch to its past jobs, without making those results global. Upvoted though

0 Karma
Reply

Laezylion
Loves-to-Learn
‎09-28-2021 04:58 AM

Hello There !

 

I have a similar use case : I'm setting up savedsearches over night (heavy requests on a year) with a ttl of 24H.

I'm then loading them using a ladjob command. Works pretty well.

Now, I have to share theses results.

Is it possible to set the rights on the saved artifact differently than on the original data ?

like :  "the index is for administrators only, but the results is read for everyone" ?

 

If so, how can I set this ?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...