Deployment Architecture

Dedicated search head with admin rights but not admin of indexer cluster.

jlhamlet
Path Finder

Hi,

My team (Team1) has a cluster of indexers and a search head cluster. We want to add a dedicated a search head to Team 2 where they can be admin.

A few conditions and restrictions:

- Team 1 should remain admins of the cluster but not of the dedicated search head.

- Team 2 should not be able to search certain indexes nor change that setting by any means.

In short, there are a few indexes which we do not want Team 2 to see nor tamper the settings to get access to, but we would like them to be admins of their own search head.

any suggestions?

 

 

 

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Access control happens on the search head. So if you are an admin on a search head, you can effectively do anything on that search head including granting yourself rights to search any index you want. You still don't get write permissions to the search peers - this is something else and is done on the indexers themselves especially since you don't do indexer changes from a SH.

So you can have two independent search environments with separate sets of users (or even different authentication mechanisms) but I don't recall any mechanism allowing limiting searched indexes per whole search-head environments.

So the thing that you could do is to create a "restricted admin" role inheriting from several atomic roles - each allowing access to one of the indexes, having ability to grant roles from this particular set of roles and remove index access rights from all other roles grantable by this user.

But it might not be enough if you really need a "full admin" user with abilities to do all admin stuff on tne SH.

0 Karma

tej57
Contributor

In addition to what @dural_yyz said, you can restrict team1 from accessing the dedicated search head by not creating the users for team1 on the new instance. And make sure to provide appropriate capabilities to team2 so that they're not able to modify or search the indexes belonging to team1

 

Thanks,
Tejas

0 Karma

dural_yyz
Builder

Look at cloning the default 'admin' role to a new role named anything such as 'team2admin'.  Then you can remove the permissions for things like:

- add/modify roles

- add/modify search index or inherited search index

- many others you would want to review and confirm.

What you want to do is not impossible but from a security point of view near impossible to audit and ensure team 2 is always restricted from accessing the indexes in question.  Additionally moving forward any permissive capabilities from 'admin' wouldn't carry forward to the cloned role so for every upgrade I would recommend an audit by proper admins.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...