- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Dedicated search head with admin rights but not ad...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dedicated search head with admin rights but not admin of indexer cluster.
Hi,
My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin.
A few conditions and restrictions:
- Team 1 should remain admins of the cluster but not of the dedicated search head.
- Team 2 should not be able to search certain indexes nor change that setting by any means.
In short, there are a few indexes which we do not want Team 2 to see nor tamper the settings to get access to, but we would like them to be admins of their own search head.
any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want. You still don't get write permissions to the search peers - this is something else and is done on the indexers themselves especially since you don't do indexer changes from a SH.
So you can have two independent search environments with separate sets of users (or even different authentication mechanisms) but I don't recall any mechanism allowing limiting searched indexes per whole search-head environments.
So the thing that you could do is to create a "restricted admin" role inheriting from several atomic roles - each allowing access to one of the indexes, having ability to grant roles from this particular set of roles and remove index access rights from all other roles grantable by this user.
But it might not be enough if you really need a "full admin" user with abilities to do all admin stuff on tne SH.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to what @dural_yyz said, you can restrict team1 from accessing the dedicated search head by not creating the users for team1 on the new instance. And make sure to provide appropriate capabilities to team2 so that they're not able to modify or search the indexes belonging to team1
Thanks,
Tejas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at cloning the default 'admin' role to a new role named anything such as 'team2admin'. Then you can remove the permissions for things like:
- add/modify roles
- add/modify search index or inherited search index
- many others you would want to review and confirm.
What you want to do is not impossible but from a security point of view near impossible to audit and ensure team 2 is always restricted from accessing the indexes in question. Additionally moving forward any permissive capabilities from 'admin' wouldn't carry forward to the cloned role so for every upgrade I would recommend an audit by proper admins.
Meet Duke Cyberwalker | A hero’s journey with Splunk
The Future of Splunk Search is Here - See What’s New!
Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today
