Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem: contract emplyees can't use our domain where Splunk is. Proposed solution: New search head in secondary domain connected to current Splunk instance. Thoughts?

geoppspl7
New Member
‎10-09-2017 06:21 AM

We are only allowed to use AD accounts when accessing Splunk, but in our PCI DSS environment some users are not allowed to have accounts by policy due to either being contractors or due to age restrictions.

Is it at all possible to have another search head in another domain, but connected to same Splunk instance we already have? This way the search head will be in the domain where our users are etc.

I am just thinking how we can grant access to Splunk if the users cannot have AD accounts in the same domain as Splunk and we cannot use trusts etc.

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-09-2017 05:18 PM

Hey @geoppspl7, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎10-09-2017 10:25 AM

Yes, there is no problem configuring a second search head that uses a different authentication provider and different set of authorization policies to use against your existing indexing tier. All authentication/authorization enforcement happens on the search head.

Reply

DalJeanis
Legend
‎10-09-2017 09:47 PM

@geoppspl7 - Please make sure you understand the reasoning behind the policy before you attempt to circumvent it in this way. While it is technically feasible, there's a disconnect in the policy itself.

As you describe it, and assuming there is no reason to prevent your contractors from accessing splunk, when everyone else in the AD group can access it, then the AD group appears to be being used for some other access authority as well as splunk. (This is not best practices. Access should be segregated by usage, and access should always be granted granularly based on need and assigned organizational authority.)

If so, then that duplicate authority attached to a single AD group is the root of the issue you are running up against. Has your organization somehow opened splunk up to everybody in a particular domain, regardless of whether the employee has a business need?

If so, it seems you are trying to create a workaround for a security plug, when the plug itself is obscuring a larger security hole.

Investigate the underlying philosophy, and act accordingly (but politely). Nobody wants to be the next Equifax.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...