Security

Is it possible to restrict searchable index access but allow dashboardable index access?

Motivator

Question says it all. I had pseudo-accomplished this for my users for the last 18 months by removing access to the search app and the search view, so they could use all my dashboards, alerts, and reports but not run their own custom searches.

Now I have a single index that I would like them to have search access to. Is it possible to give my users search access to only one index, but give them dashboard, report, and alert access to a great number of indexes? Or, alternately, can I specify "run as" for dashboards and alerts like I can for reports?

1 Solution

Esteemed Legend

YES! Have a privileged user setup a scheduled search on the protected index and then have the unprivileged dashboard use | loadjob or | savedsearch to load the results of the search run to display in the dashboard.

View solution in original post

Esteemed Legend

YES! Have a privileged user setup a scheduled search on the protected index and then have the unprivileged dashboard use | loadjob or | savedsearch to load the results of the search run to display in the dashboard.

View solution in original post

Motivator

One answer:
Summary indexes. Not a lot of fun, but doable

Second answer:
Remove access to the search app and search view, and then create custom search dashboards, with your own query textbox so users can write custom queries (on top of whatever restrictions you want to implement, you can start the query for them). Since the search app and search view access removal is only through the UI, this is not secure.

Third answer:
Have Splunk add this capability. Create role-based dashboard index access vs role-based search index access. Or add "run as" for dashboards like with reports. Or create the ability to restrict search terms but specify if it's a dashboard or search restriction: indexSrchFilter vs dashboardSrchFilter.

Legend

@nick405060 I think this is also possible through saved searches. Have you tried the following:

Step 1 : Do not give users access to search the index.
Step 2 : Create all dashboard search queries as Report.
Step 3 : Give user access to report.
Step 4 : Reference Report in the dashboard.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Contributor

I don't think you can do that unless the user has access to a specific index or data in the dashboard user can't see any results. You can generate reports and share them. I hope this helps

0 Karma