Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Remove search ability users

mmoermans
Path Finder
‎07-24-2017 01:42 AM

Hi there,

I'm trying to set up a monitor/manager account which only has access to dashboards but cannot search through indexes himself.
Where do you set this permission?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-24-2017 02:49 AM

After creating user, create a role for this user and assign this role only the read permission for dashboard.

Please, create a role for this user before create this user, thus you can assign this role for this user and assign only the read permission for this user role.

if you don't want that user cannot search, either:

under Indexes, don't select no index, leave input Selected search indexes blank and save. Thus, your user cannot run search.

create an app for this dashboard and in the default nav four your app, only call the dashboards which user will see like this for example:

After do this edit your user and give it this app context by default

https://answers.splunk.com/answers/224735/how-to-restrict-a-users-role-to-only-view-a-dashbo.html

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-24-2017 02:09 AM

edit - not sure if this can be done.. lets wait for others answers.

not sure of this one, but please check this Capability
"search" --- Run searches,
"srchIndexesAllowed"

but still, we can add or remove the search capability, but there is no separate capability for granting the dashboard. i think its not possible. lets wait for others answers.

"search" --- Run searches,
"srchIndexesAllowed" - User is allowed to search indexes.
https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/Rolesandcapabilities

0 Karma
Reply

mmoermans
Path Finder
‎07-24-2017 02:26 AM

srchIndexesAllowed only lets you definine which indexes can be searched.
If srchIndexesAllowed is empty then no results are found by Monitor user (in dashboards too).

[role_monitor]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user_no_index
srchIndexesAllowed = network
srchIndexesDefault = network
srchMaxTime = 0

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-24-2017 02:35 AM

oops, my mistake. when i read the question, this issue came to my mind, but then missed it.

please check this Capability
"search" --- Run searches.

but still, we can add or remove the search capability, but there is no separate capability for granting the dashboard. i think its not possible. lets wait for others answers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...