Hey guys, i have several search heads in my Splunk cluster. I'd like to restrict permissions for one particular search head (even for admins there). Is this possible?
Thanks in advance!
Access to indexes is controlled by role. The only way to restrict access from a given SH is to have separate roles on that SH that do not grant access to the restricted index. Since SHs in a cluster share configurations, the only way to have separate roles is to have an SH that is not part of the cluster. You'll need to create a new SH or split one off the cluster (assuming you currently have more than 3 in the cluster.
Hello @highsplunker
You should create roles if you want that in Access control.
Access to indexes is controlled by role. The only way to restrict access from a given SH is to have separate roles on that SH that do not grant access to the restricted index. Since SHs in a cluster share configurations, the only way to have separate roles is to have an SH that is not part of the cluster. You'll need to create a new SH or split one off the cluster (assuming you currently have more than 3 in the cluster.
Ok! Thanks!