topic Users missing from Access Control in Security

Users missing from Access Control

chillsgrove — Tue, 19 Nov 2019 21:44:44 GMT

We have almost 500 Splunk users in our organization (a mix of local and LDAP). About 200+ of our Splunk users are no longer appearing in the "User" tab under Access Control. A mix of both local users and LDAP users are not visible however they are still able to login to Splunk and use it without issues. Unfortunately I'm not able to administer their account through the GUI though.

We are using a search-head cluster on Splunk v7.3.2. I've already logged into each individual search-head and verified they are missing from all of them.

Any advice to point me in the right direction on how to solve this is greatly appreciated.

Re: Users missing from Access Control

ivanreis — Wed, 20 Nov 2019 04:40:19 GMT

Check the rest api command below:

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name

Or run the command through CLI, but I believe the rest api can give you a better output format

./splunk list user
username: admin
full-name: Administrator
role: admin

Re: Users missing from Access Control

chillsgrove — Wed, 20 Nov 2019 23:21:50 GMT

Using the rest api command I get a return result of 292 users. However, in the $SPLUNKHOME/etc/users directory there are 451 users listed. I'm missing about 159 users in the GUI.

Re: Users missing from Access Control

cosminstefanmar — Fri, 21 Feb 2020 19:59:21 GMT

We are getting same error, did you find an explanation of why a big chunk of users might be missing when pulling via REST API?

Re: Users missing from Access Control

chillsgrove — Wed, 30 Sep 2020 04:19:05 GMT

Yes. Here is the solution that worked for us:

Option 1:

In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:

edit_roles_grantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.

NEXT STEPS

In your SH diag, I see that in authorize.conf, under the [role_admin] stanza

edit_roles_grantable = enabled

grantableRoles = admin

Please edit etc/system/local/authorize.conf and from the [role_admin] stanza, remove the line

grantableRoles = admin

Restart Splunk on the SH
Login to the SH as an admin user and check if missing users are visible.

Re: Users missing from Access Control

adobrzeniecki — Tue, 09 Feb 2021 15:37:08 GMT

Hello, I am experiencing this issue as well with SAML and using Splunk 8.1.2. We have over 50+ users in SAML. THey are being mapped in authentication.conf to roles that do exist. When i run the rest call above it only shows me 20 users. These 20 users are also only showing up in the GUI. BUT when i run that rest command and add the username of someone who is missing, it returns results for that user.
I need some assistance here and i have a feeling that this may be a bug ticket. Does anyone have any information at all?