Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to disable realtime searches for the power user role?

skoelpin
SplunkTrust
SplunkTrust
‎10-03-2017 07:21 AM

I'm wanting to disable real-time searches for the roles 'user' and power-user'. For the user role, I removed most of the capabilities including rtsearch. When I login as a local user account, I do not see the real-time search functionality available which I expect. When I do the same thing for the power-user role, the user still has the real-time functionality.

Here's the additional capabilities the power-user has that the regular user does not have 

edit_sourcetypes
embed_report
list_settings
schedule_search
search_process_config_refresh
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-04-2017 05:40 AM

Perhaps run:

splunk btool props list --debug

Confirm the rtsearch does not have the = enabled flag on it, if it does try adding this to the relevant section of your authorize.conf:

rtsearch =
schedule_rtsearch =

Also note that if you have used something like admin_all_objects = enabled this will override the above permissions and allow the scheduling of real time searches even if rtsearch = (blank).

Note that I have not written rtsearch = disabled as the authorize.conf documentation states:

<capability> = <enabled>
* A capability that is enabled for this role.
* You can list many of these.
* Note that 'enabled' is the only accepted value here, as capabilities are
  disabled by default.
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

somesoni2
Revered Legend
‎10-03-2017 07:41 AM

Did you check via btool what are the effective capabilities for the power user role? Removing rtsearch should've been sufficient (https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Search/Restrictrealtimesearch#Disable_real-t...)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...