Security

Can you change permissions on an executed savedsearch?

nick405060
Motivator

I have a dashboard that loadjobs a scheduled savedsearch. I needed to grant dashboard access to a new role, so I added permissions for that role both to the dashboard and to the savedsearch. But I got a Error in 'SearchOperator:loadjob': Permission denied. Cannot access artifacts of job_id message when I accessed the dashboard as that role. I forced the savedsearch to run again ahead of schedule and it fixed the error. Does changing permissions on a savedsearch really not affect permissions for the actual past jobs ran?

Is there a way to do this without manually rerunning to force the permissions change?

I confirmed that a reboot still does not propagate the new permissions down to the formerly ran jobs.

0 Karma

woodcock
Esteemed Legend

The easiest way to do this is to click on Activity -> Jobs, then search for your job and click on the right-turn arrow icon that is the Share function. This will pop open a dialog that says something like TTL extended to 7 days and permissions changed to global.

nick405060
Motivator

But if it's a scheduled search, not one that you just manually executed, then you don't have the option to click any right-turn arrow

0 Karma

woodcock
Esteemed Legend

Scheduled searches should show, but by default, the artifacts are reaped in 1 hour, so most executed searches don't hang around for long.

0 Karma

nick405060
Motivator

Got it. This will work for my use case, but still isn't a solution if you wanted to apply changed permissions on a scheduled savedsearch to its past jobs, without making those results global. Upvoted though

0 Karma

Laezylion
Loves-to-Learn

Hello There !

 

I have a similar use case : I'm setting up savedsearches over night (heavy requests on a year) with a ttl of 24H.

I'm then loading them using a ladjob command. Works pretty well.

Now, I have to share theses results.

Is it possible to set the rights on the saved artifact differently than on the original data ?

like :  "the index is for administrators only, but the results is read for everyone" ?

 

If so, how can I set this ?

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...