kgraham Super Contributor.
Super Contributor.

Restricting Filters/Searches

Is there a way to restrict which filters and or searches are available to certain user groups?

I do have the users restricted to specific data stores via search filters.

I ask this two fold. 

1.  There are support people that do not need to see "everything" but they do need to know what devices are locking users out of their AD accounts.

2.  When I make the "search" into a report so all they need to do is input a "user name".  It takes 3 times as long to get any results, if any, for the same query.

These are very simple.  Am I missing something?

Thanks in advance




categoryBehavior = /Authentication/Verify and categoryOutcome != /Success and destinationUserName  contains admin | fields + endTime + name + message + deviceCustomString4 + destinationUserName + destinationHostName + destinationNtDomain + deviceCustomNumber1 + sourceAddress + sourceMacAddress + destinationAddress | rename deviceCustomString4 as Reason | rename deviceCustomNumber1 as LogonSource | rename destinationNtDomain as Domain | rename destinationUserName as User | rename sourceMacAddress as "User MAC"  | rename sourceAddress as "User Address" 

Report Query:


arc_endTime "Time",

arc_name "Name",

arc_message "Message",

arc_deviceCustomString4 "Reason",

arc_destinationUserName "User",


arc_destinationNtDomain "Domain",

arc_deviceCustomNumber1 "Logon Source",

arc_sourceAddress "User Address",

arc_sourceMacAddress "User MAC",


FROM events


arc_categoryBehavior = '/Authentication/Verify'


arc_categoryOutcome != '/Success'


arc_destinationUserName LIKE '<%User_Account%>'

2 Replies
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Restricting Filters/Searches

Hey Kim,

We do something similar except we use saved searches only.  We then use the saved searches to create a dashboard that they can access and view real time.

As far as I know you cant restrict which filters just the ability to create, save, remove, etc.

Below is what we use for the acct lockout dashboard.

They can then pivot from the dashboard straight to the search page.

deviceEventClassId = "Microsoft-Windows-Security-Auditing:4740" _peerLogger IN [] |chart count by destinationUserName sourceAddress sourceHostName |rename destinationUserName as LockedOutUser |rename sourceAddress as "Source of Lockout Address" |rename sourceHostName as "Source of Lockout Hostname" |rename _count as NumberofLockouts

We also have another saved search where all they have to do is replace whats in destinationUserName = "" with the specified user.

Not exactly what you asked for but might help some.

kgraham Super Contributor.
Super Contributor.

Re: Restricting Filters/Searches

Thank you

I do have several saved searches they have access to view.  Like yourself they are on dashboards. I added yours, I trust that was alright.

It all started with the search where they were to change the username in a predefined search - destinationUserName CONTAINS "CHANGEME".   I placed it at the start of the search string so it was easy to find. 

The managers had actually asked me to restrict the users so that they could not modify any searches and be accused of "poking around".   Hence why I was looking at no access to the search function and only let them input a "username", with specific information output to them.   The only way, so far, I have found to do that is in a report.  I will see if allowing dashboards/pivoting to the search without having search allowance works.

I'll keep searching as well.


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.