Splunk Search

I want to provide read permission only one app not to all apps to a particular role


I want to provide read permission for only one app not all apps to a particular role and in my environment under apps permissions, I can see everyone(all roles) have read access. I don't want to make changes to all apps permission but wanted to manage if I can configure in one role or one app permissions so that all users under that role should only have read permission to one app and he won't be able to see other apps.

Labels (2)
Tags (3)
0 Karma



i don’t know any easy way to do this like “allow all other roles than this”. Splunk’s way is allow for named roles or to all. This has done via *.meta files https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Defaultmetaconf.  Basically you could do this by naming all other roles on all others apps meta files, but this is not a practical solution.

r. Ismo

Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...