I assume the answer is no, but wanted to ask to verify.
I do not want to give a user access to an index, because I do not want them to be able to search against it in the Search app. The user has the need to see only certain things in this index. I already have an app I created with a few search forms, which would allow the user to search for all info they need to see and nothing more.
Is there a way for searches within a search form to run with access to an index to which the logged in user does not have access to? Some kind of run as capability, or assigning an app or form to a Role with access to the index?
With Splunk 6 this is fairly easy since there's been a change in the way permissions are applied; saved searches are executed with the permissions of their owner.
Since the dashboard calls the saved search, it will (in Splunk 6) execute with the permissions of the owner, and you can create a dashboard based on data the user doesn't have access to.
An alternative is to give the user access to the index but restrict the search terms. Under the role settings you can specify a search string which will be run against any other searches that user does..
e.g. index=security host=myhostname
This will mean that the user can only find events for that host in the security index.
Use Saved Searches owned by system and call the save search in your App. That should work as long as realtime is not needed.
Short answer: No
Long answer: Maybe. You can probably pull it off if you really wanted to. Though I can't speak for the security of the setup.
What I would try is to first limit the user's role to be as minimal as possible, and he/she can still use your form searches.
From there, I'd edit the Search app, and remove permissions to flashtimeline
and the other "search" pages for that user's role.
Assuming the user is only in that role, you can permission off all the dashboards in Splunk so that the only thing the user is able to ever see are the dashboards you created.
Again, this banks on the fact that you're able to permission off any screens where you can run an ad-hoc search.
Alternatively, you could have the user not log into Splunk alltogether, and write something that uses the REST API to generate some charts/graphs on your own.
And all of that is for nothing.
You cannot limit a user from creating a new report or dashboard.
If they can do that, they can trivially create a dashboard with a search timeline.