I'm planning a distributed installation of splunk with the search head and the indexers in different servers.
To my understanding the authorized.conf goes into the search head and defines to which indexes a group of users has access. I was wondering how to ensure that somebody else does not create his own search head and puts in his authorized.conf access to all the indexes in his own search head, avoiding the rules that you created in the general search head.
Is there a way to ensure that somebody does not add a search head and has access to all my indexes? how is this ensured?