I have a user that belongs to a few roles that use LDAP for auth. These roles have srchMaxTime
set to 600. I need to cap the user at 300 seconds for srchMaxTime. I have set-up 2 roles named aaa_search_abuser and zzz_search_abuser with this setting, and assigned the user to those roles (in addition the the other roles he belongs to). However, the user still shows with a 600 srchMaxTime. It seems like the role engine is choosing the highest value, not any sort of order-based process.
How can I make sure a role setting takes precedence over other role settings?
thanks
According to authorize.conf.spec srchMaxTime inherits the maximum from the other roles.
http://docs.splunk.com/Documentation/Splunk/6.5.1/admin/Authorizeconf
Looks like you need a role specifically for this user.
It doesn't seem to be possible based on Search Filters (srchFilter) when a user is in multiple groups/roles