Deployment Architecture

Can we add a dedicated search head to give admin rights?

splunkreal
Motivator

Hello,

we have 3 SHC, could it be possible to add 1 SH dedicated to a special team and give admin rights only to this last one?

Thanks.

* If this helps, please upvote or accept solution 🙂 *
Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You should simply install a separate SH using the same indexer(s).

Of course it would be managed completely separately from the SHC.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

You should simply install a separate SH using the same indexer(s).

Of course it would be managed completely separately from the SHC.

splunkreal
Motivator

Is it possible however this team adds then can_delete or delete_by_keyword capability and may be able to delete data on clustered indexers? Thanks.

* If this helps, please upvote or accept solution 🙂 *
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yes. Any permissions for actions called by users from SH are defined on that SH. You simply "pair" SH(C) with IDX(C) and the IDX has no concept of the end user, its identity and such. It's the SH that decides who can do what so if you give someone admin rights on SH, he can effectively do anything with your data.

Separating SH(C)'s makes sense for purposes of isolating search-time artifacts, KV-stores, managing saved searches and so on.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkreal,

yes it's possibile but it isn't a good idea!

Ciao.

Giuseppe

splunkreal
Motivator

so that's the risk 😉

* If this helps, please upvote or accept solution 🙂 *
0 Karma

isoutamo
SplunkTrust
SplunkTrust

That’s probably the biggest issue, as they had admin rights then they can do anything to all data what you have on your indexers. You cannot e.g. disable access to any indexes as they can add access to those as they want.

0 Karma

splunkreal
Motivator

Yes this looks good solution, thanks.

* If this helps, please upvote or accept solution 🙂 *
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkreal,

if you have a Search Head Cluster you have the same rights in all the components.

if you have not clustered SHs, you can give different rigths to the configurated roles.

Anyway, you can give different grants to different groups (or roles).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...