Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Isolate a Search head - search head user account

aab1
Explorer
‎09-08-2024 11:04 PM

Hi 
I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do"

Do anybody know if this is somehow available or doable in 2024?
My case is that I need a Standalone Searchhead with access to a subset of all indexes in the Cluster.
But at the same time full control of the Searchhead (Splunk Admin capabilities except changes to the searchable index list) 
The aim is to separate the SH to be managed by a 3 party.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2024 11:58 PM

Hi @aab1 ,

as I said, there's only one solution: create a custom admin without that feature and without the feature of altering roles, no other solution.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2024 11:15 PM

Hi @aab1 ,

you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customization isn't useful!).

Then, you give to this role the grants to see only a part of indexes.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aab1
Explorer
‎09-08-2024 11:37 PM

Morning Giuseppe 

Thanks for a quick reply.
My problem with this solution is that I somehow need to ensure that

1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party including custom TA's)
2 The 3 party managed SH must not be able to alter the roles (so no access to the Full Admin)

Hence the need for a isolated setup where the roles are set on the Peer site.  

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2024 11:58 PM

Hi @aab1 ,

as I said, there's only one solution: create a custom admin without that feature and without the feature of altering roles, no other solution.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

aab1
Explorer
‎09-09-2024 12:26 AM

Hi again

Thank you very much clarification 🙂

/Best Rgds

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-09-2024 12:34 AM

Hi @aab1 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...