Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Assigning all Knowledge Objects to "nobody" - Pros and Cons

dyeyniyel
Explorer
‎01-24-2022 02:23 AM
Hey All,

We are currently transitioning our users from Local to SAML, and with this, the savedsearches/KO's owned by the local users would need to be reassigned as they will soon be deleted on our environment.
 
What would be the best practice for this, should we just reassign all these knowledge objects owned by the users to nobody, or should we just assign them to their respective SAML user account equivalent?
 
The K.O's are general use cases so we're thinking that assigning it to nobody would be fine, but it may cause some quota hits or some searches might not be executed if all are assigned to nobody.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎01-24-2022 06:15 PM

nobody runs as the splunk system user and by default that has admin access.

So you probably don't want to reassign to nobody.

Furthermore depending on write permissions the original users might lose the ability to edit the knowledge objects. They will likely lose the ability to remove the objects too...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution

michelletieder
Engager
‎03-21-2022 02:36 PM

I understand the code has issues with the KO's not being owned and a person loosing access to edit them. So, I'd suggest the system auto reassigns it to a created by splunk user when it gets shared. And they keep rights to edit if they have shared access. It's really something odd to keep having to manage. Either that or someone needs to come up with a better way to manage it.

0 Karma
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎01-24-2022 06:15 PM

nobody runs as the splunk system user and by default that has admin access.

So you probably don't want to reassign to nobody.

Furthermore depending on write permissions the original users might lose the ability to edit the knowledge objects. They will likely lose the ability to remove the objects too...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

dyeyniyel
Explorer
‎01-25-2022 01:18 AM

Hi @gjanders,

Thanks for the response! Appreciate it. We're planning on just creating something like a local service account and we'll assign the savedsearches there, with the necessary permissions and quotas. 

Just a question, would you know if the savedsearches would still run if let's say for example it's owner already has expired password?

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎01-25-2022 10:24 PM

I do not believe password expiry triggers that scenario (happy to be corrected)

A disabled account *and* a restart of the SH or a refresh of the ldap cache should trigger this...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...