Normal users should see a subset of a field extraction, small set of higher privilled users should be able to see more fields extracted from a log event in the search app.
reason: deeper analysis capabilities for special analysts, limit field analysis and search time saving for normal users.
Can you please tell me, how this have to be implemented? Is there an easier approach than mine?
What do I have to configure and where?
Can I handle it in on Addon?
Do I really save search time, if field extraction limited for the majority of the users? How can I measure the differences?
My approach and actual (no) results:
I created an add on's with report field extraction for specific sourcetypes (log events)
- create an Addon ..._baseline with the field subset - all users are granted
- create an Addon ..._all but with all fields extracted but limit access to a role "deep_data"
- assigned the role to the user, who should see all the data
But there is no difference, if a user had the role or not. By playing with some permission assignments I can enforce, that users can see the subset or the whole set. But it's not depends on the role assignment. It's just for all users.
you can give the grants adding to a knowledge object the roles of your users.
The only problem is that if a role/user cannot see a field, all the searches containing that field have no results for thet role!
In other words, if a role connot see a field it isn't used in all searches.
The only way to mask some fields for some users is to create different dashboards for the different roles containing a different list of fields; remember to disable the feature "open in search" for the limited users.