I think this is a typical Splunk use case wherein, we want to give access to users who can only VIEW dashboards but should not query or issue search commands.
I see some documentation on this:
but, following this, it is still users to fire search queries.
For example, when a user has a access to a dashboard, and then, access the dashboard page, there is a small link called "view results". Upon clicking on view results, it is bring search box screen. How do we just give access to dashboard URLs alone and, no access search UI.
I tried the other approach of creating a new role with no search capability but, it is not allowing the user to view dashboards.
I've done this by hiding (using CSS) the "View results" link. Admittedly, it's a bit of a kludge, but at least stops the specific pain point.
You might also consider disallowing general users to the main "searchbar views". These are typically dashboard_live and flashtimeline; they live in the "search" app.
The CSS I used to hide those results is below. It would go into a file called 'application.css' in the appserver/static subdir of whatever app contains your dashboards.
/* Don't show the "View results" footer */
display: none !important;
I have tried following and its working fine for me.
THis should restrict the access to flashtimeline (screen to which generally people search). Repeat the same for all the views which provide direct search.
Thank you so much. Could you please clarify on - "..capabilities similar to "user" role.."
Does this mean, create a new role and use Inheritance (from Manager/ACL/Roles) from role "User" (under selected column, in the UI).
Or should I create a new role with all the all the capabilities similar to user - meaning the following cap.s
Note that there is a capability - search include this..in the new role.?
YOu should create a new role with all capabilities similar to user.
The capability search is required otherwise the dashboards searches also will not work.
I tried exactly the same steps as you mentioned. My test userID gets 404 - with a message - " Splunk Cannot find the ...nameofmy_dash.. view - message - while accessing dashboard URL.
It seems like Search and Dashboard capabilities are tightly coupled. Either both are on or both are off 😞
As part of step , did you change the permission for "nameofmydashboard" as well to exclude dashboarduser?? we should exclude only for flashtimeline and dashboardlive. ALso for any view that you have created which provides search bar. Your normal dashboards (which contains links 'View Result') should be made accessible.
Thanks for the hint. My dashboard was with default permission for role user. I've added the new role too, in the permission list, for this dash. And hence, it works now 🙂
The test user is able to access dashboard. And he is not able to access search / flashtimeline as expected.
The problem is that Splunk creates a default navigation menu for your new app. This default navigation menu is stored as the dashboards view inside the search app. The problem is that if you deny access to this app, then trying to view this dashboard will 404.
<nav search_view="search" color="#65A637">
<view name="dashboards" />
You need to do two things:
For more info about customizing the navigation menu, see http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/BuildNavigation
One other thing I noticed is that Splunk v6.0 does not appear to honor global permissions for your custom commands and macros if you restricting access to the search app. For instance, the gauge command is considered an advanced command and restricting access to the search app prevents the gauge command from being used.
The same problem happen for macros created in the search app. Without access to the search app, the global permissions seem to get ignored.