Security

Best Practice: Owner for shared search assets (Searches, Reports, Dashboards etc.)

nirmalrajneupan
Explorer

Hello All

What is the best practice for assigning ownership of shared search assets? (Dashboard used by the whole team for example.)

I don't want to set it to a specific user. I would then have to worry about concurrent search quotas. Do I assign it to nobody (doesn't sound like a good idea.) Do I assign it to a system user (Is there a system user?).

Also, search accounts would not be preferred since that would mean another shared account with a shared password to manage.

Thanks,

0 Karma

somesoni2
Revered Legend

Generally we create a role with higher quota for owners of such shared artifacts, in order to avoid search quota issue. Assigning owner as nobody makes it run as system user (splunk-system-user to be specific) which have high limit but is a hard-coded value (can't be increased/decreased). You can also increase quota for a user but that will enforce dependency on a user.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

@nirmalrajneupane, Have you had a chance to read these pages in the documentation about users and roles, as well as roles and capabilities?
http://docs.splunk.com/Documentation/Splunk/6.6.3/Security/Aboutusersandroles
http://docs.splunk.com/Documentation/Splunk/6.6.3/Security/Rolesandcapabilities

0 Karma

nirmalrajneupan
Explorer

@lfedak

Read the documents. Don't think it answers my questions.

So are you recommending creating a user with required privileges to own the dashboards. Is that what is mostly done? We want to avoid using shared accounts with shared password. But if this is the only option, I can understand.

Thanks,
Nirmal

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!