How to keep users out of Search?

DaClyde · ‎08-10-2023

We would very much like to restrict certain users in our Splunk environment to the apps that have been provided to them and prevent them from reaching the Search interface.

We have established separate roles for each app, and assigned to the users to those roles, but are having some difficulty determining exactly which set of capabilities the roles require for the apps to function, but to make sure the users can't reach the search bar.

We remove the "Open in Search" option from the bottom on the dashboard panels, and we would like to remove access to the Search & Reporting app to all but the necessary roles. We just want to be sure everything still functions for the users in their various apps.

Any guidance would be helpful.

Thanks!

gcusello · ‎08-10-2023

Hi @DaClyde,

for my knowledge, the only choice is to remove the open in search option in each panle.

Even if adding "search" in the url permits to access the Search and reporting dashboard and it isn't possible to block it.

Ciao.

Giuseppe

DaClyde · ‎08-11-2023

Thank you @gcusello, I was worried this might be the answer.

As much as we can, we are leveraging the API to build dashboards into our main website and effectively replicating the dashboards in HTML, pulling the values from Splunk. That keeps the users out of Splunk entirely and may be the direction we need to go.

How to keep users out of Search?

access control

permissions

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector