Re: Best Practice: Owner for shared search assets ...

nirmalrajneupan · ‎09-06-2017

Hello All

What is the best practice for assigning ownership of shared search assets? (Dashboard used by the whole team for example.)

I don't want to set it to a specific user. I would then have to worry about concurrent search quotas. Do I assign it to nobody (doesn't sound like a good idea.) Do I assign it to a system user (Is there a system user?).

Also, search accounts would not be preferred since that would mean another shared account with a shared password to manage.

Thanks,

somesoni2 · ‎09-07-2017

Generally we create a role with higher quota for owners of such shared artifacts, in order to avoid search quota issue. Assigning owner as nobody makes it run as system user (splunk-system-user to be specific) which have high limit but is a hard-coded value (can't be increased/decreased). You can also increase quota for a user but that will enforce dependency on a user.

lfedak_splunk · ‎09-06-2017

@nirmalrajneupane, Have you had a chance to read these pages in the documentation about users and roles, as well as roles and capabilities?
http://docs.splunk.com/Documentation/Splunk/6.6.3/Security/Aboutusersandroles
http://docs.splunk.com/Documentation/Splunk/6.6.3/Security/Rolesandcapabilities

nirmalrajneupan · ‎09-07-2017

@lfedak

Read the documents. Don't think it answers my questions.

So are you recommending creating a user with required privileges to own the dashboards. Is that what is mostly done? We want to avoid using shared accounts with shared password. But if this is the only option, I can understand.

Thanks,
Nirmal

Best Practice: Owner for shared search assets (Searches, Reports, Dashboards etc.)

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...