Hi Splunk Experts
I have a set of set of users whom I just want them to allow only run ad-hoc searches. I don't want them to creating dashboard, reports and alerts.
How it can be achievable ?
Any pointers to document will be helpful.
Thanks in advance
To restrict a user from scheduling searches, create a role without schedule_search capabilty.
I can't think of a way to really forbid a user from running an ad-hoc report or dashboard since they are based on as-hoc searches. You could try to remove user's edit_own_objects capability to forbid user from creating own dashboards and reports (for the ones created by others or coming from the apps you could simply revoke permissions for user's role) but I'm not sure what you'll end up with in terms of such role's usefullness.
Thank you @PickleRick
as per document https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/Rolesandcapabilities
edit_own_objects capability is already disabled for user role but still user will be able to create private dashboards in $SPLUNK_HOME/etc/users/<userhome> directory. We clean this directory manually right now.
We are looking for this role as a "read-only user who can run dashboard created by other power user and run searches". A typical requirement for support team.
I don't think that's possible. You can try to make it more difficult for the user to create dashbboards. You could just fiddle with permissions and set some custom app as his default one. He could have just a search window and some pre-defined reports. It is most probably bypassable one way or another but still better than nothing. If you want to have a "strictly read-only" user (for example for compliance reasons), I'm not sure it's possible.
I don't recommend this as a production solution, but for exploration's sake, this may be possible on a self-hosted instance by preventing Splunk from writing private configuration settings to the user's Splunk home directory. For example, to prevent Splunk from writing to savedsearches.conf in the search app:
sudo chown root:root $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf
sudo chmod 0000 $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf
This assumes that Splunk is running as a non-root user and can't otherwise restore permissions without a system administrator's intervention.
When the user attempts to save a report, they'll receive an error message:
In handler 'savedsearch': Data could not be written: /<username>/search/savedsearches/<name>/search: ...
I do recommend contacting Splunk support or your Splunk account manager for further guidance.