I have a technique that seems to work...
As we all (for varying values of all) know - it appears you cannot use a "Run-As Owner" saved search inside a dashboard that accepts an argument. (See: https://answers.splunk.com/answers/454828/how-to-run-a-savedsearch-with-the-owner-permission.html )
However, that page does provide a hint of what is required, a "post process filter".
This page: https://www.tekstream.com/optimizing-splunk-dashboards-with-post-process-searches/ provides further details on post-processing.
In the end, this is what worked for me for this particular instance - and is likely applicable in other circumstances. (Note, this is Splunk v7.3.2)
We had have a group that does not have access to the wineventlog index, but needed access the 4740 EventCode. (I suppose we could of provided access via a search filter on the role with access to the index as well - maybe.)
Create a "Run-As Owner" report: (As an administrator, or other account that has access to the wineventlog index)
index=wineventlog EventCode=4740 source="WinEventLog:Security" Security_ID="*"
| eval lockout = if( mvcount(Security_ID)=1, mvindex(Security_ID, 0), mvindex(Security_ID, 1))
| table _time, Caller_Computer_Name, lockout | sort - _time
Call it "REPORT-AccountLockouts", and give it a reasonable duration. (We used 30 days.).
Apply read permissions to the relevant less permissioned role, and - obviously - set permissions to "Run-As Owner".
The dashboard XML is then:
<form theme="dark">
<label>Account Lockouts</label>
<search ref="REPORT-AccountLockouts" id="baseSearch"></search>
<fieldset submitButton="true">
<input type="text" token="securityid" searchWhenChanged="true">
<label>UserName</label>
</input>
</fieldset>
<row>
<panel>
<title>Account Lockouts</title>
<table>
<search base="baseSearch">
<query>| search lockout="*$securityid$"
| eval evtTime=strftime(_time, "%m/%d/%Y %I:%M:%S %p")
| rename evtTime AS Time, Caller_Computer_Name AS Computer, lockout AS UserName
| table Time, Computer, UserName
</query>
</search>
<option name="count">25</option>
</table>
</panel>
</row>
</form>
Obviously, this dashboard also needs read access to the less permissioned role.
The dashboard then provides access to all 4740 events, but also has a search box to narrow it down to specific users.
My understanding of how it works is Splunk performs the run-as owner search behind the scenes, and saves the results off to the side, since there is no direct reference to them in the dashboard. The results are then used as a source for the stanzas in the dashboard.
HTH
... View more