OK, here it is clue:
I use 2 userroles (rprod, rtest) - inherited from object/role user:
authorize.conf
[role_user]
srchIndexesAllowed =
[role_rprod]
importRoles = user
srchIndexesAllowed = index1
srchIndexesDefault = index1
[role_rtest]
importRoles = user
srchIndexesAllowed = index2
srchIndexesDefault = index2
user1 is member of role rprod / user2 is member of role rtest
by default, the user-role has the property:
[role_user]
srchIndexesAllowed = *
and this caused the problem, because I used searches by sourcetype not by index, to be more flexible in customeres usecases ...
... View more