Security

Grant permission to view search results but not execute

New Member

I can see in my user roles that I can prevent a user from accessing search functionality, but it appears that this means that a user can't even view the results of a saved search.

How can I allow a user to view existing saved searches, but not start new ones?

This is useful for us as Splunk is being shared across multiple sites, so we are allowing only our backend to create private, invisible saved searches with data they have permission to view, and then embedding the results in an iframe on our frontend. The client doesn't know how to use Splunk, all they know is they want analytics for their site.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

We have a jobs server setup that runs all scheduled searches. Users don't have access to this server for searching. If they want a scheduled search then they must request this from us. They can still create a saved search just not schedule it.

On the servers you DON'T want them to be able schedule searrches in the default-mode.conf file put:

[pipeline:scheduler]

disabled = true

0 Karma

New Member

@rmorlen Thanks for that info. The problem is, the client doesn't know how to use Splunk, all they know is they want analytics for their site. We know what reports we need to generate automatically, we just need to be able to embed an iframe which doesn't allow creating searches.

0 Karma