Security

how to disable "ALL time" for user role

AzmathShaik
Path Finder

hello

i have created a customized role simple_user and assigned users to. i also wanted to disable "all time" option from search bar for the user in simple_user role.

can any one help me how to configure it?

0 Karma
1 Solution

hhGA
Communicator

Hi,

Not exactly what you're after but you can set the maximum time window for a search using srchTimeWin = <time_in_seconds> in authorize.conf.

For example, if you didn't want anyone with the simple_user role to be able to search a timeframe over a year then you would add the following:

[role_simple_user]
srchTimeWin = 31536000

Note that the stanza title is in the format role_<role_name>.

Hope this helps.

View solution in original post

hhGA
Communicator

Hi,

Not exactly what you're after but you can set the maximum time window for a search using srchTimeWin = <time_in_seconds> in authorize.conf.

For example, if you didn't want anyone with the simple_user role to be able to search a timeframe over a year then you would add the following:

[role_simple_user]
srchTimeWin = 31536000

Note that the stanza title is in the format role_<role_name>.

Hope this helps.

AzmathShaik
Path Finder

Thanks your answer helped me.

but i don't want to show the option of All Time for users except ADMIN user. is it possible??

0 Karma

hhGA
Communicator

You're welcome.

Unfortunately I am not aware of an configuration in Splunk that allows you to do that.

You can remove it from dashboards, but not from searches / reports.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...