Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Remove search ability users

mmoermans
Path Finder
‎07-24-2017 01:42 AM

Hi there,

I'm trying to set up a monitor/manager account which only has access to dashboards but cannot search through indexes himself.
Where do you set this permission?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-24-2017 02:49 AM

After creating user, create a role for this user and assign this role only the read permission for dashboard.

Please, create a role for this user before create this user, thus you can assign this role for this user and assign only the read permission for this user role.

if you don't want that user cannot search, either:

under Indexes, don't select no index, leave input Selected search indexes blank and save. Thus, your user cannot run search.

create an app for this dashboard and in the default nav four your app, only call the dashboards which user will see like this for example:

After do this edit your user and give it this app context by default

https://answers.splunk.com/answers/224735/how-to-restrict-a-users-role-to-only-view-a-dashbo.html

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-24-2017 02:09 AM

edit - not sure if this can be done.. lets wait for others answers.

not sure of this one, but please check this Capability
"search" --- Run searches,
"srchIndexesAllowed"

but still, we can add or remove the search capability, but there is no separate capability for granting the dashboard. i think its not possible. lets wait for others answers.

"search" --- Run searches,
"srchIndexesAllowed" - User is allowed to search indexes.
https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/Rolesandcapabilities

0 Karma
Reply

mmoermans
Path Finder
‎07-24-2017 02:26 AM

srchIndexesAllowed only lets you definine which indexes can be searched.
If srchIndexesAllowed is empty then no results are found by Monitor user (in dashboards too).

[role_monitor]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user_no_index
srchIndexesAllowed = network
srchIndexesDefault = network
srchMaxTime = 0

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-24-2017 02:35 AM

oops, my mistake. when i read the question, this issue came to my mind, but then missed it.

please check this Capability
"search" --- Run searches.

but still, we can add or remove the search capability, but there is no separate capability for granting the dashboard. i think its not possible. lets wait for others answers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...