Security

Grant permission to view search results but not execute

dnolan_switch
New Member

I can see in my user roles that I can prevent a user from accessing search functionality, but it appears that this means that a user can't even view the results of a saved search.

How can I allow a user to view existing saved searches, but not start new ones?

This is useful for us as Splunk is being shared across multiple sites, so we are allowing only our backend to create private, invisible saved searches with data they have permission to view, and then embedding the results in an iframe on our frontend. The client doesn't know how to use Splunk, all they know is they want analytics for their site.

Tags (2)
0 Karma

rmorlen
Splunk Employee
Splunk Employee

We have a jobs server setup that runs all scheduled searches. Users don't have access to this server for searching. If they want a scheduled search then they must request this from us. They can still create a saved search just not schedule it.

On the servers you DON'T want them to be able schedule searrches in the default-mode.conf file put:

[pipeline:scheduler]

disabled = true

0 Karma

dnolan_switch
New Member

@rmorlen Thanks for that info. The problem is, the client doesn't know how to use Splunk, all they know is they want analytics for their site. We know what reports we need to generate automatically, we just need to be able to embed an iframe which doesn't allow creating searches.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...