I running Splunk 4.1.6 and I'm trying to create a role which allows the user to only have read access to the Search app. i.e. They can only do native and saved searches.
However, even at the lowest level of privileges it seems the user always has access to the "Manager". Is there anyway to restrict this? Can i remove the link from the search app?
you can control what is displayed on the Manager page via the authorize.conf file.
more info here :
To add to what Sean said, when you use advanced XML, you can only actually remove the entire "AccountBar", meaning all of those links, or leave it in. However, if I'm in an app, I can paste this into the URL bar and the "Manager" link will hide for me, so I imagine that a custom application.js could get you what you want:
You can certainly customize "search" or create a custom app that doesn't provide links to manager or other apps to the users. Additionally, you can configure Splunk to put certain users in this app by default.
There is Splunk documentation on how to customize a dashboard.
Note, to do what are you're asking requires the advanced dashboard XML.
As the doc states, you can browse to your search app and viewSource to see what components are there: https://localhost:8000/en-US/app/search/dashboard_live?showsource=true