Deployment Architecture

Can we add a dedicated search head to give admin rights?

realsplunk
Motivator

Hello,

we have 3 SHC, could it be possible to add 1 SH dedicated to a special team and give admin rights only to this last one?

Thanks.

Labels (1)
0 Karma
1 Solution

PickleRick
Ultra Champion

You should simply install a separate SH using the same indexer(s).

Of course it would be managed completely separately from the SHC.

View solution in original post

PickleRick
Ultra Champion

You should simply install a separate SH using the same indexer(s).

Of course it would be managed completely separately from the SHC.

realsplunk
Motivator

Is it possible however this team adds then can_delete or delete_by_keyword capability and may be able to delete data on clustered indexers? Thanks.

0 Karma

PickleRick
Ultra Champion

Yes. Any permissions for actions called by users from SH are defined on that SH. You simply "pair" SH(C) with IDX(C) and the IDX has no concept of the end user, its identity and such. It's the SH that decides who can do what so if you give someone admin rights on SH, he can effectively do anything with your data.

Separating SH(C)'s makes sense for purposes of isolating search-time artifacts, KV-stores, managing saved searches and so on.

0 Karma

gcusello
Legend

Hi @realsplunk,

yes it's possibile but it isn't a good idea!

Ciao.

Giuseppe

realsplunk
Motivator

so that's the risk 😉

0 Karma

isoutamo
SplunkTrust
SplunkTrust

That’s probably the biggest issue, as they had admin rights then they can do anything to all data what you have on your indexers. You cannot e.g. disable access to any indexes as they can add access to those as they want.

0 Karma

realsplunk
Motivator

Yes this looks good solution, thanks.

0 Karma

gcusello
Legend

Hi @realsplunk,

if you have a Search Head Cluster you have the same rights in all the components.

if you have not clustered SHs, you can give different rigths to the configurated roles.

Anyway, you can give different grants to different groups (or roles).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...