- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Can you change permissions on an executed save...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you change permissions on an executed savedsearch?
I have a dashboard that loadjobs a scheduled savedsearch. I needed to grant dashboard access to a new role, so I added permissions for that role both to the dashboard and to the savedsearch. But I got a Error in 'SearchOperator:loadjob': Permission denied. Cannot access artifacts of job_id message when I accessed the dashboard as that role. I forced the savedsearch to run again ahead of schedule and it fixed the error. Does changing permissions on a savedsearch really not affect permissions for the actual past jobs ran?
Is there a way to do this without manually rerunning to force the permissions change?
I confirmed that a reboot still does not propagate the new permissions down to the formerly ran jobs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest way to do this is to click on Activity -> Jobs, then search for your job and click on the right-turn arrow icon that is the Share function. This will pop open a dialog that says something like TTL extended to 7 days and permissions changed to global.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But if it's a scheduled search, not one that you just manually executed, then you don't have the option to click any right-turn arrow
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scheduled searches should show, but by default, the artifacts are reaped in 1 hour, so most executed searches don't hang around for long.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it. This will work for my use case, but still isn't a solution if you wanted to apply changed permissions on a scheduled savedsearch to its past jobs, without making those results global. Upvoted though
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello There !
I have a similar use case : I'm setting up savedsearches over night (heavy requests on a year) with a ttl of 24H.
I'm then loading them using a ladjob command. Works pretty well.
Now, I have to share theses results.
Is it possible to set the rights on the saved artifact differently than on the original data ?
like : "the index is for administrators only, but the results is read for everyone" ?
If so, how can I set this ?
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
