Splunk Cloud Platform

Search Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Service accounts and federated search security

Before you define a remote Splunk platform deployment as a federated provider, create a service account on that remote deployment. The service account enables secure communication between the federated search head on your local Splunk platform deployment and the federated provider.

Federated search security models

A service account enables different security models depending on whether or not Local Knowledge Objects is enabled or disabled for the federated provider.

Local Knowledge Objects setting Applies to Security model Description
Disabled Standard mode federated providers, by default. Data access privileges and restrictions derive from the service account role, which is defined on the remote Splunk platform deployment. Users running federated searches on the local deployment delegate their security to the role held by the service account user on the remote deployment.

This role is defined on the remote deployment.

Access privileges and restrictions set on the service account role apply to all federated searches run over the remote deployment.
Enabled
  • Standard mode federated providers, when you enable Local Knowledge Objects.
  • Transparent mode federated providers, always.
Data access privileges and restrictions derive from a service account role on the remote Splunk platform deployment, which in turn borrows its access control settings from a role on your local Splunk platform deployment. Users running federated searches on the local deployment delegate their security to the role held by the service account user on the remote deployment.

The service account user role on the remote deployment gets its access privileges and restrictions from a role defined on the local deployment. The two roles must have the same name for this to work.

The access privileges and restrictions from the local deployment role apply to all federated searches run over the remote deployment.

For more information about the standard and transparent federated provider modes, see About federated search.

For more information about the Local Knowledge Objects setting, see Determine which knowledge objects are applied to federated searches.

Step one: Create a role on the remote Splunk deployment

To set up a service account on a remote Splunk deployment, you must first create or identify an appropriate service account role on that deployment. This task differs depending on whether the federated provider you are setting up the service account for will have Local Knowledge Objects enabled or disabled.

If the federated provider will have Local Knowledge Objects disabled

Local knowledge objects is disabled by default for standard mode federated providers.

If the remote Splunk platform deployment you are defining as a standard mode federated provider will have Local Knowledge Objects disabled, create a new service account role on the remote deployment. This is the role you will give to the service account user for the federated provider. Federated searches that run over this remote deployment have their access controls defined by this role.

See Create and manage roles with Splunk Web for a detailed description of the role setup process.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Click New Role.
  3. Give the role a unique Name.
  4. Ensure that the role has appropriate access to data on the remote Splunk platform deployment for the federated searches your users will be running. Specify role inheritance, capabilities, searchable indexes, search restrictions, and search-related limits.
    To ensure that the service account role has the essential capabilities for running searches, make sure the role inherits its baseline capabilities from the User role.
  5. Click Save.

If the federated provider will have Local Knowledge Objects enabled

You can optionally enable Local Knowledge Objects for standard mode federated providers. Local Knowledge Objects is always enabled for transparent mode federated providers.

If the remote Splunk platform deployment you are defining as a federated provider will have Local Knowledge Objects enabled, identify or create a service account role on the remote deployment that has the same name as the role that your users will use when they run federated searches from your local deployment.

See Create and manage roles with Splunk Web for a detailed description of the role setup process.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Identify an existing role on the remote deployment that has the same name as a role on the local deployment that your users use to run federated searches.
    1. If the role your users use for federated searches does not exist on the remote deployment, click New search to create it.
    2. Give the role a Name that is identical to the name of the local deployment role that your federated search users use to run federated searches.
    3. Ensure that the role inherits its baseline capabilities from the User role. You do not need to define this remote deployment role further as the definition of the local deployment role will be applied when your users run federated searches.
    4. Click Save.

Do not give this service account role to other users or entities on the remote deployment.

If you are going to run federated searches over a federated provider with Local Knowledge Objects enabled, a best practice is to create a role on your local deployment that is dedicated to federated searches. Then you can use the name of that dedicated role when you set up the service account role for the federated provider.

For example, say your users use a role named FederatedSearchUser to run federated searches from your local Splunk deployment. When you define a service account role on the remote Splunk deployment, you should name it FederatedSearchUser as well.

Because your federated provider has Local Knowledge Objects enabled, the service account role for that federated provider inherits its access controls from the identically-named role on your local Splunk deployment. This means that the Splunk software ignores any settings defined on the federated provider for the service account role.

When you identify or create a role for the service account of a federated provider that will have Local Knowledge Objects enabled, do not use the name of a role on your local deployment that grants your federated search users more data access privileges than you want them to have.

For instance, say you have a role on your local deployment with especially broad search permissions named AdminPrime. If you have a federated provider with Local Knowledge Objects enabled, and you give its service account role the name AdminPrime, users on your local deployment are granted AdminPrime search privileges when they run federated searches over that federated provider, even if they do not have the AdminPrime role.

Step two: Create a new service account user on the remote Splunk deployment and assign the role to it

The next step in creating a service account is creating a service account user on the remote deployment. This user is the service account for the federated provider. Assign the remote deployment role you identified or created in the first step to this service account user.

See Create and manage users with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Users.
  2. Click New user.
  3. Give the service account user a name, password, and time zone. The name and password will be referenced when you create your federated provider definition.
  4. Give this user the remote deployment role you defined or identified in the previous task.
  5. Deselect the Require password change on first login option.
  6. Click Save.
  7. Save a record of the user name and password for the service account.
    You need these credentials for the Service Account Username and Service Account Password fields when you create the federated provider definition for the remote Splunk platform deployment.

See Define a federated provider.

Additional security for standard mode federated providers: Federated indexes

If you are going to define a remote Splunk platform deployment as a standard mode federated provider, you need to create federated indexes on the federated search head of your local deployment. See Create a federated index.

On your local deployment, you must define additional role-based security for your users that identifies the federated indexes to which they have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.

After you create federated indexes, follow these steps.

  1. On the local deployment, in Splunk Web, navigate to Settings > Roles.
  2. Click the name of a role that is associated with users who run federated searches.
  3. Click 3. Indexes to display the contents of the Indexes tab.
  4. Locate the federated indexes you have defined. All federated index names in the Indexes list begin with federated:.
  5. Click the Included checkbox for a federated index to include search results from that index for this role.

    If Included is not selected for any federated indexes, this role cannot perform federated searches over standard mode federated providers.

  6. (Optional) Deselect the Included checkbox for federated indexes that should not return search results for this role.
  7. (Optional) Click the Default checkbox for a federated index to include search results from that index when a user that holds this role does not specify an index in their search.
  8. To save all of the changes you have made and close the dialog box, click Save.

See Create and manage roles with Splunk Web.

Last modified on 15 October, 2021
PREVIOUS
Migrate from hybrid search to federated search
  NEXT
Determine which knowledge objects are applied to federated searches

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2107


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters