permission on knowledge object

New Member


Normal users should see a subset of a field extraction, small set of higher privilled users should be able to see more fields extracted from a log event in the search app.

reason: deeper analysis capabilities for special analysts, limit field analysis and search time saving for normal users.


Can you please tell me, how this have to be implemented? Is there an easier approach than mine?

What do I have to configure and where?

Can I handle it in on Addon?

Do I really save search time, if field extraction limited for the majority of the users? How can I measure the differences?

My approach and actual (no) results:

I created an add on's with report field extraction for specific sourcetypes (log events)

- create an Addon ..._baseline with the field subset - all users are granted

- create an Addon ..._all but with all fields extracted but limit access to a role "deep_data"

- assigned the role to the user, who should see all the data


But there is no difference, if a user had the role or not. 
By playing with some permission assignments I can enforce, that users can see the subset or the whole set.
But it's not depends on the role assignment. It's just for all users.

Thx and Regards

Labels (1)
Tags (1)
0 Karma

New Member

Hi Giuseppe,

thx for reply. Yes I know, that the user can not see these fields in searches (except with regexing).
But this is exact, what I wanne to achieve. You wrote I should grants adding to knowledge objects.

I did that, but unfortunately with no success.
How exactly do I have to do?

My recent steps are:

  • create a role "deep_data"
  • got Apps->Manage apps
  • select the app "addon_all"
  • edit "permissions"
  • deselect "everyone"
  • select the role  "deep_data"
  • keep "All apps(system") --> I tried it with app only, but this could not work, due to it's an addon to search
  • assign the role to the user "xxxx_all"
  • restart
  • logon with user "xxxx_all"
  • logon with user "xxxx_restricted"


  • whatever I switched, the users "xxx_all" and "xxx_restricted" has the same view

What's did I wrong?



0 Karma


Hi @KaS,

why do you want to intervene on the app "addon_all", is this the app containing the Knowledge objects?

Anyway, try in this way:

  • click on Manage Apps,
  • choose the App containing the Knowledge objects,
  • click on "View Objects",
  • click, one by one, on all the fields you have to assign roles,
  • assign to each field the roles:
    • both to the fields open to all the users,
    • xxx_restricted to the fields with restricted access.

You can assign grants to only app (usually) or all apps (if you think that a field is common to more apps.



0 Karma


Hi @KaS,

you can give the grants adding to a knowledge object the roles of your users.

The only problem is that if a role/user cannot see a field, all the searches containing that field have no results for thet role!

In other words, if a role connot see a field it isn't used in all searches.

The only way to mask some fields for some users is to create different dashboards for the different roles containing a different list of fields; remember to disable the feature "open in search" for the limited users. 



0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...