"Run as" owner not seem to work for saved searches


Based on documentation, and posts (Who do saved scheduled searches run as? and  Question about "run as" (Owner or User ) for saved searches), a saved search configured to "run as" owner, should with with permissions that the owner of the search has. However, I have two saved searches that do not work that way. Specifically, the searches use indexes that I (the owner) has access to but other user roles do not.

The difference that I can think of is that my searches are in a Splunk Cloud instance, and my users authenticate using SAML against a IdP on premise.

Any insights would be much appreciated!

Labels (2)
0 Karma


Hi @ww9rivers 

Firstly, the users are granted Splunk roles based on their LDAP group in authentication.conf, and those roles or roles those roles inherit would restrict access to indexes with srchIndexesAllowed in authorize.conf. So if users can log in to Splunk, then the Splunk roles would apply. So having Splunk cloud and on-premise LDAP shouldn't make a difference.

My only guess as to the cause of this issue is, there is some role which the user has which is overriding the permissions of the owner. You will note in the documentation that the search is not actually run as the owner, but rather with the permissions of  the owner.

To narrow down the issue, create a test user from GUI, and add the roles which the user has to it one by one. Try running the saved search as the test user after each role is added, to see which role is causing the issue. 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...