https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46891#M1539 <P>The problem was caused by a search filter set on role 'A' in authorize.conf.</P> <P>here is the solution:<BR /> <A href="http://splunk-base.splunk.com/answers/57026/multiple-roles-inherited-from-ldap-group-memberships">http://splunk-base.splunk.com/answers/57026/multiple-roles-inherited-from-ldap-group-memberships</A></P> <P>thx</P> Fri, 30 Nov 2012 15:06:17 GMT harald_leitl 2012-11-30T15:06:17Z https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46887#M1535 <P>Hi,<BR /> I got following behavior.</P> <P>An ldap user is member of two roles. (role A = ldap groupA &amp; role B = ldap groupB)</P> <P>role A has properties set to srchIndexesAllowed = index1;index2;index3<BR /> role B has properties set to srchIndexesAllowed = index2;index4;index5</P> <P>When searching for index=* the user only sees indexes from role A (index1;index2;index3).</P> <P>In Splunk manager the user has both roles assigned.</P> <P>What am I doing wrong?</P> <P>we are currently running on 4.3.3.</P> <P>thx,</P> <P>harry</P> Wed, 28 Nov 2012 10:17:55 GMT https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46887#M1535 harald_leitl 2012-11-28T10:17:55Z https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46888#M1536 <P>Hi harald_leitl</P> <P>have a look at this <A href="http://splunk-base.splunk.com/answers/50175/ldap-authentication-troubleshooting-information">answer</A>, where you can find some basic ldap troubleshooting tips.</P> <P>cheers,</P> <P>Mus</P> Wed, 28 Nov 2012 14:57:11 GMT https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46888#M1536 MuS 2012-11-28T14:57:11Z https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46889#M1537 <P>I don't think I have a problem with authentication and ldap.</P> <P>In splunk manager I see that both splunk roles are assigned to the user.</P> <P>However, it seems the user only gets capabilities of role 'A'.</P> Wed, 28 Nov 2012 16:02:15 GMT https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46889#M1537 harald_leitl 2012-11-28T16:02:15Z https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46890#M1538 <P>As explained above, role 'A' is allowed to search through index1;index2;index3 and role 'B' is allowed to search through index2;index4;index5.</P> <P>I thought, if I assign both roles the user would be capable of searching through index1;index2;index3;index4 and index5.</P> <P>my search to verify the result:</P> <P>index=*</P> <P>The result I got:<BR /> Only events from index1;index2;index3 were included in the result.</P> <P>The result I was looking for:<BR /> events from index1;index2;index3;index4 and index5 are shown</P> Wed, 28 Nov 2012 16:02:36 GMT https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46890#M1538 harald_leitl 2012-11-28T16:02:36Z https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46891#M1539 <P>The problem was caused by a search filter set on role 'A' in authorize.conf.</P> <P>here is the solution:<BR /> <A href="http://splunk-base.splunk.com/answers/57026/multiple-roles-inherited-from-ldap-group-memberships">http://splunk-base.splunk.com/answers/57026/multiple-roles-inherited-from-ldap-group-memberships</A></P> <P>thx</P> Fri, 30 Nov 2012 15:06:17 GMT https://community.splunk.com/t5/Security/user-with-multiple-roles/m-p/46891#M1539 harald_leitl 2012-11-30T15:06:17Z