Currently, "sharing" a search allows all users access to that particular search's results, even if a certain Splunk user does not have access to the index which contains these results. The only two permissions for Sharing a search are "Private" or "Everyone".
We have filed an enhancement request with Splunk to better control access to the Dispatch directory and these search artifacts (ENH-5971).
We have a lot of confidential data that we do not want users to accidentally share across our entire Splunk user base. Any user can view the Jobs manager and view shared (Saved) searches from any other user, and potentially view or disclose these confidential search results.
I was curious if anyone had a method for removing this button from everyone's view until this gets resolved.
We can always just say "never share search results", but I think everyone here knows how that will pan out amongst users :). We are on Splunk Enterprise 6.4.1.
↧