Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to disable realtime searches for the power user role?

skoelpin
SplunkTrust
SplunkTrust
‎10-03-2017 07:21 AM

I'm wanting to disable real-time searches for the roles 'user' and power-user'. For the user role, I removed most of the capabilities including rtsearch. When I login as a local user account, I do not see the real-time search functionality available which I expect. When I do the same thing for the power-user role, the user still has the real-time functionality.

Here's the additional capabilities the power-user has that the regular user does not have 

edit_sourcetypes
embed_report
list_settings
schedule_search
search_process_config_refresh
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-04-2017 05:40 AM

Perhaps run:

splunk btool props list --debug

Confirm the rtsearch does not have the = enabled flag on it, if it does try adding this to the relevant section of your authorize.conf:

rtsearch =
schedule_rtsearch =

Also note that if you have used something like admin_all_objects = enabled this will override the above permissions and allow the scheduling of real time searches even if rtsearch = (blank).

Note that I have not written rtsearch = disabled as the authorize.conf documentation states:

<capability> = <enabled>
* A capability that is enabled for this role.
* You can list many of these.
* Note that 'enabled' is the only accepted value here, as capabilities are
  disabled by default.
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

somesoni2
Revered Legend
‎10-03-2017 07:41 AM

Did you check via btool what are the effective capabilities for the power user role? Removing rtsearch should've been sufficient (https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Search/Restrictrealtimesearch#Disable_real-t...)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...