Security

Can you change permissions on an executed savedsearch?

nick405060
Motivator

I have a dashboard that loadjobs a scheduled savedsearch. I needed to grant dashboard access to a new role, so I added permissions for that role both to the dashboard and to the savedsearch. But I got a Error in 'SearchOperator:loadjob': Permission denied. Cannot access artifacts of job_id message when I accessed the dashboard as that role. I forced the savedsearch to run again ahead of schedule and it fixed the error. Does changing permissions on a savedsearch really not affect permissions for the actual past jobs ran?

Is there a way to do this without manually rerunning to force the permissions change?

I confirmed that a reboot still does not propagate the new permissions down to the formerly ran jobs.

0 Karma

woodcock
Esteemed Legend

The easiest way to do this is to click on Activity -> Jobs, then search for your job and click on the right-turn arrow icon that is the Share function. This will pop open a dialog that says something like TTL extended to 7 days and permissions changed to global.

nick405060
Motivator

But if it's a scheduled search, not one that you just manually executed, then you don't have the option to click any right-turn arrow

0 Karma

woodcock
Esteemed Legend

Scheduled searches should show, but by default, the artifacts are reaped in 1 hour, so most executed searches don't hang around for long.

0 Karma

nick405060
Motivator

Got it. This will work for my use case, but still isn't a solution if you wanted to apply changed permissions on a scheduled savedsearch to its past jobs, without making those results global. Upvoted though

0 Karma

Laezylion
Loves-to-Learn

Hello There !

 

I have a similar use case : I'm setting up savedsearches over night (heavy requests on a year) with a ttl of 24H.

I'm then loading them using a ladjob command. Works pretty well.

Now, I have to share theses results.

Is it possible to set the rights on the saved artifact differently than on the original data ?

like :  "the index is for administrators only, but the results is read for everyone" ?

 

If so, how can I set this ?

0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...