Hello,
we have 3 SHC, could it be possible to add 1 SH dedicated to a special team and give admin rights only to this last one?
Thanks.
You should simply install a separate SH using the same indexer(s).
Of course it would be managed completely separately from the SHC.
You should simply install a separate SH using the same indexer(s).
Of course it would be managed completely separately from the SHC.
Is it possible however this team adds then can_delete or delete_by_keyword capability and may be able to delete data on clustered indexers? Thanks.
Yes. Any permissions for actions called by users from SH are defined on that SH. You simply "pair" SH(C) with IDX(C) and the IDX has no concept of the end user, its identity and such. It's the SH that decides who can do what so if you give someone admin rights on SH, he can effectively do anything with your data.
Separating SH(C)'s makes sense for purposes of isolating search-time artifacts, KV-stores, managing saved searches and so on.
so that's the risk 😉
That’s probably the biggest issue, as they had admin rights then they can do anything to all data what you have on your indexers. You cannot e.g. disable access to any indexes as they can add access to those as they want.
Yes this looks good solution, thanks.
Hi @splunkreal,
if you have a Search Head Cluster you have the same rights in all the components.
if you have not clustered SHs, you can give different rigths to the configurated roles.
Anyway, you can give different grants to different groups (or roles).
Ciao.
Giuseppe