I have a user that is scheduling a saved search and has results get sent to multiple users. When the users click on the link included in the email they get prompted to log into splunk and immediately. get a 403 error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None"
If they just log into splunk and run the search, they get results fine. They have the same roles as the person creating the search. Are the saved search results only accessible by the owner of the search? As admin I can see them of course.
I ran into this and even with the saved search shared globally and read permission granted to the role which my user was assigned, I continued to get a 403. The only way I found to resolve this was by editing $SPLUNK_HOME/etc/apps/
After that I was able to access the results.
You should verify that the users encountering this problem are in the "read" ACL for the particular saved search object. To check, visit manager, check the specific saved search object, click on permissions and verify that any role for the users having the problem has read permissions.
If this is the case, the next step in diagnosing is to look at the search
index=_internal source=*splunkd_access.log status=403 and determine which specific URL is returning the error.
This looks similar to the following post: http://answers.splunk.com/questions/10946/authorizationfailed-http-403-when-clicking-on-the-link-in-...
It sounds like it was fixed in 4.1.6, we are running 4.2 I wonder if it broke again?