A limited type of search string that is defined for and applied to a given role through Settings > Access controls > Roles or the
authorize.conf file, thereby constraining what data users in the role can access by using search.
Search filters are additive. If a user is a member of more than one role with search filters applied, all applicable search filters are joined with a Boolean 'OR'.
In the Securing Splunk Enterprise:
In the Admin Manual: