topic Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grant in Security

New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

woodcock — Sun, 07 Jun 2020 20:06:01 GMT

I am adding a new role to allow analysts to access the Monitoring Console. I believe that the minimum set of capabilities for this to be these:

[role_moncon_user]
# ==== Capabilities   ====
dispatch_rest_to_indexers = enabled
list_accelerate_search = enabled
list_app_certs = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_forwarders = enabled
list_health = enabled
list_httpauths = enabled
list_indexer_cluster = enabled
list_indexerdiscovery = enabled
list_inputs = enabled
list_introspection = enabled
list_metrics_catalog = enabled
list_pipeline_sets = enabled
list_search_head_clustering = enabled
list_search_scheduler = enabled
list_settings = enabled
list_storage_passwords = enabled
list_tokens_all = enabled
list_tokens_own = enabled
list_workload_pools = enabled
list_workload_rules = enabled
# ==== Index Values   ====
srchIndexesAllowed = *;_*

I added this to authorize.conf file in the client_all_search_base app and restarted Splunk; so far, so good. However when I try to assign this moncon_user role to anybody, after clicking Save it fails with Role=moncon_user is not grantable. I figured that I would be able to brute-force it in by manually adding it to a user in the $SPLUNK_HOME/etc/passwd file but all that did was cause splunk to disable that user completely (it doesn't even show in the GUI at all after that).

What is really happening and how can I get this to work?

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

anmolpatel — Fri, 06 Mar 2020 04:02:53 GMT

I added the above capabilities to a new authorize.conf file and then created a new user assigning the moncon_user role. I had no issues.

I'm using Splunk 7.3.4

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

sumanssah — Fri, 06 Mar 2020 05:10:29 GMT

To add and edit roles/capabilities I assume authorize.conf would be the correct file.

Please refer this Splunk doc
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Addandeditroleswithauthorizeconf

As per document

After you make changes to authentication.conf, you must refresh the authentication scheme to have the changes take effect. You can do this with either Splunk Web or the CLI. Refreshing the authentication scheme does not log users off of the system.

Refresh the authentication scheme using Splunk Web
From the system bar, click Settings > Authentication Methods.

Use the CLI command ./splunk reload auth:
./splunk reload auth

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

woodcock — Fri, 06 Mar 2020 05:34:24 GMT

No, no, no. I have restarted Splunk to no effect. That us not the problem. I am way beyond what is mentioned in this answer.

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

manjunathmeti — Fri, 06 Mar 2020 06:54:04 GMT

In authorize.conf check if setting grantableRoles is set to the role of the user you logged in to add new user.

If you are using admin and admin role is edited then grantableRoles is set to admin for admin role. You can remove this or add new role to grantableRoles.

[role_admin]
grantableRoles = admin

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

woodcock — Thu, 19 Mar 2020 00:04:09 GMT

It turns out that I had this setting in authorize.conf in a base_config app for search heads:

[role_admin]
grantableRoles = admin

I am not sure how it got there or what it was supposed to accomplish but when I removed this, my new role became grantable to every user and role.

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grant

amankhan1 — Mon, 22 Jun 2020 11:41:22 GMT

Thanks @woodcock this solved my problem

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grant

gcusello — Fri, 13 May 2022 08:29:16 GMT

Hi @woodcock,

how can I apply your solution to a Search Head Cluster?

Ciao.

Giuseppe

Re: New "role" cannot be added to any users due to "is not grantable"; how to make roles "grant

splunkreal — Fri, 12 Apr 2024 10:45:16 GMT

Hi @gcusello did you get answer from @woodcock regarding applying on all etc/system/local/authorize.conf search head nodes (preferably from GUI if possible) ?

Thanks.