Step one: Create a service account role on the remote deployment

To set up a federated provider service account on a remote deployment, you must first create an appropriate service account role on that deployment. This task differs depending on whether the federated provider you are setting up the service account for will use standard mode or transparent mode.

If the federated provider will use standard mode

If you plan to define your remote deployment as a standard mode federated provider, create a new service account role on the remote deployment. This is the role you'll give to the service account user for the federated provider in the following task. This role sets the data access privileges and restrictions for all federated searches run over this federated provider.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, select Settings, then Roles.
  2. Select New Role.
  3. Give the role a unique Name.
    Note: Role names must use only lowercase characters. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
  4. On the Inheritance tab, ensure that the service account role has the essential capabilities for running searches by selecting the User role.
    Do not have the service account role inherit from the admin, sc_admin or power roles. Do not give the service account role capabilities that are equivalent to those roles. The service account role needs only to have the ability to run searches.
  5. Use the other New Role tabs to ensure that the role has appropriate access to data on the remote deployment for the federated searches your users will be running. Specify role capabilities, searchable indexes, search restrictions, and search-related limits.
  6. Select Save.
Note: Service account roles for standard mode federated providers must also have read permissions for any remote datasets that you expect your federated search users to access through federated indexes. For example, if you plan to set up a federated index that maps to a data model on a federated provider, make sure that the service account role for that federated provider has read permissions for that data model.

For more information about setting permissions for knowledge objects like saved searches and data models, see Manage knowledge object permissions in the Knowledge Manager Manual.

If the federated provider will use transparent mode

If you plan to define your remote deployment as a transparent mode federated provider, create a new service account role on the remote deployment. You must give the role the fsh_manage and search capabilities, and you must identify Included indexes for the service account role. This is the role you give to the service account user for the federated provider.

Note: Do not have the service account role inherit from the admin, sc_admin or power roles. Do not give the service account role capabilities that are equivalent to those roles.

See Create and manage roles with Splunk Web, in Securing the Splunk Platform.

  1. On the remote deployment, in Splunk Web, select Settings, then Roles.
  2. Select New Role.
  3. Give the role a unique Name.
    Note: Role names must use only lowercase characters. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
  4. Open the Capabilities tab and select the fsh_manage and search capabilities.
    When you give the federated provider service account a role with the fsh_manage capability, you turn on transparent mode federated search for federated provider. The search capability ensures that searches can run over the transparent mode provider.
    If the service account user for a transparent mode federated provider does not have a role with the fsh_manage and search capabilities, that federated provider rejects all federated search requests that reach it.
  5. Open the Indexes tab, and select Included for the remote indexes on this federated provider that users on your local Splunk deployment can search with transparent mode federated searches.
    To successfully run a transparent mode federated search, both the role of the user running the search on the local Splunk deployment and the service account role on the remote Splunk deployment must have role-based access to the same list of index names. For example, if you have the User role, and you want to run a federated search over an index named OnlineSales on a transparent mode federated provider, the following things must be true:
    • Your User role must have role-based access to an index on your local Splunk platform deployment named OnlineSales.
    • The service account role must have role-based access to an index on the federated provider named OnlineSales.
    If the service account role and your users' roles do not provide role-based access to the indexes on the transparent mode federated provider, your users cannot run federated searches over that provider.
  6. (Optional) In the Indexes tab, select Default indexes for the service account role. Default indexes return results for transparent mode federated searches that do not identify an index.
    Note: If you do not select a Default index, your users must identify an Included index in their federated searches to get search results from the transparent mode federated provider.
  7. Select Save.