I'm wanting to disable real-time searches for the roles 'user' and power-user'. For the user role, I removed most of the capabilities including rtsearch
. When I login as a local user account, I do not see the real-time search functionality available which I expect. When I do the same thing for the power-user role, the user still has the real-time functionality.
Here's the additional capabilities the power-user has that the regular user does not have
edit_sourcetypes
embed_report
list_settings
schedule_search
search_process_config_refresh
Perhaps run:
splunk btool props list --debug
Confirm the rtsearch does not have the = enabled flag on it, if it does try adding this to the relevant section of your authorize.conf:
rtsearch =
schedule_rtsearch =
Also note that if you have used something like admin_all_objects = enabled this will override the above permissions and allow the scheduling of real time searches even if rtsearch = (blank).
Note that I have not written rtsearch = disabled as the authorize.conf documentation states:
<capability> = <enabled>
* A capability that is enabled for this role.
* You can list many of these.
* Note that 'enabled' is the only accepted value here, as capabilities are
disabled by default.
Did you check via btool what are the effective capabilities for the power user role? Removing rtsearch should've been sufficient (https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Search/Restrictrealtimesearch#Disable_real-t...)