I am looking for a way to restrict users to run "dbquery" command but still be able to access the dashboard/report that made by running "dbquery", is that even possible? I tried to use dbx/metadata/local.meta to have testrole to be able to see the dashboard/report but not able to run dbquery command, but it doesn't work that way.
[commands/dbquery]
access = read : [ dbx_user, admin ], write : [ dbx_user, admin ]
export = system
[database/mydb]
access = read : [ admin, dbx_user, testrole ], write : [ admin, dbx_user ]
export = none
AFAIK, you can't do it that way. However, you could have a scheduled search with a dbquery that populates a lookup table, and then have the dashboard reports use the lookup table. The dashboard data would be relatively stale, depending on how often the schedule search runs.
Another alternative is to use an embedded report. In this case, your report would still use dbquery - and it would still have to be scheduled - but you could skip the lookup table. Here is a nice blog entry that shows how: Embed scheduled reports
In both of these examples, you could deny access to the DBConnect app to the users.
As a general rule, if you don't have access to the data and commands that underly a report, you can't use the report. Embedded reports were designed to get around this restriction. In addition, embedded reports can be viewed without even logging into Splunk.