Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem: contract emplyees can't use our domain where Splunk is. Proposed solution: New search head in secondary domain connected to current Splunk instance. Thoughts?

geoppspl7
New Member
‎10-09-2017 06:21 AM

We are only allowed to use AD accounts when accessing Splunk, but in our PCI DSS environment some users are not allowed to have accounts by policy due to either being contractors or due to age restrictions.

Is it at all possible to have another search head in another domain, but connected to same Splunk instance we already have? This way the search head will be in the domain where our users are etc.

I am just thinking how we can grant access to Splunk if the users cannot have AD accounts in the same domain as Splunk and we cannot use trusts etc.

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-09-2017 05:18 PM

Hey @geoppspl7, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎10-09-2017 10:25 AM

Yes, there is no problem configuring a second search head that uses a different authentication provider and different set of authorization policies to use against your existing indexing tier. All authentication/authorization enforcement happens on the search head.

Reply

DalJeanis
Legend
‎10-09-2017 09:47 PM

@geoppspl7 - Please make sure you understand the reasoning behind the policy before you attempt to circumvent it in this way. While it is technically feasible, there's a disconnect in the policy itself.

As you describe it, and assuming there is no reason to prevent your contractors from accessing splunk, when everyone else in the AD group can access it, then the AD group appears to be being used for some other access authority as well as splunk. (This is not best practices. Access should be segregated by usage, and access should always be granted granularly based on need and assigned organizational authority.)

If so, then that duplicate authority attached to a single AD group is the root of the issue you are running up against. Has your organization somehow opened splunk up to everybody in a particular domain, regardless of whether the employee has a business need?

If so, it seems you are trying to create a workaround for a security plug, when the plug itself is obscuring a larger security hole.

Investigate the underlying philosophy, and act accordingly (but politely). Nobody wants to be the next Equifax.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...