Security

Is it possible to restrict searchable index access but allow dashboardable index access?

nick405060
Motivator

Question says it all. I had pseudo-accomplished this for my users for the last 18 months by removing access to the search app and the search view, so they could use all my dashboards, alerts, and reports but not run their own custom searches.

Now I have a single index that I would like them to have search access to. Is it possible to give my users search access to only one index, but give them dashboard, report, and alert access to a great number of indexes? Or, alternately, can I specify "run as" for dashboards and alerts like I can for reports?

1 Solution

woodcock
Esteemed Legend

YES! Have a privileged user setup a scheduled search on the protected index and then have the unprivileged dashboard use | loadjob or | savedsearch to load the results of the search run to display in the dashboard.

View solution in original post

woodcock
Esteemed Legend

YES! Have a privileged user setup a scheduled search on the protected index and then have the unprivileged dashboard use | loadjob or | savedsearch to load the results of the search run to display in the dashboard.

nick405060
Motivator

One answer:
Summary indexes. Not a lot of fun, but doable

Second answer:
Remove access to the search app and search view, and then create custom search dashboards, with your own query textbox so users can write custom queries (on top of whatever restrictions you want to implement, you can start the query for them). Since the search app and search view access removal is only through the UI, this is not secure.

Third answer:
Have Splunk add this capability. Create role-based dashboard index access vs role-based search index access. Or add "run as" for dashboards like with reports. Or create the ability to restrict search terms but specify if it's a dashboard or search restriction: indexSrchFilter vs dashboardSrchFilter.

niketn
Legend

@nick405060 I think this is also possible through saved searches. Have you tried the following:

Step 1 : Do not give users access to search the index.
Step 2 : Create all dashboard search queries as Report.
Step 3 : Give user access to report.
Step 4 : Reference Report in the dashboard.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Suhash
Engager

This one works , verified 🙂

0 Karma

sandeepmakkena
Contributor

I don't think you can do that unless the user has access to a specific index or data in the dashboard user can't see any results. You can generate reports and share them. I hope this helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...