I can see in my user roles that I can prevent a user from accessing search functionality, but it appears that this means that a user can't even view the results of a saved search.
How can I allow a user to view existing saved searches, but not start new ones?
This is useful for us as Splunk is being shared across multiple sites, so we are allowing only our backend to create private, invisible saved searches with data they have permission to view, and then embedding the results in an iframe on our frontend. The client doesn't know how to use Splunk, all they know is they want analytics for their site.
We have a jobs server setup that runs all scheduled searches. Users don't have access to this server for searching. If they want a scheduled search then they must request this from us. They can still create a saved search just not schedule it.
On the servers you DON'T want them to be able schedule searrches in the default-mode.conf file put:
[pipeline:scheduler]
disabled = true
@rmorlen Thanks for that info. The problem is, the client doesn't know how to use Splunk, all they know is they want analytics for their site. We know what reports we need to generate automatically, we just need to be able to embed an iframe which doesn't allow creating searches.