https://community.splunk.com/t5/Security/Admin-Down-Restarting-Splunk-does-not-reload-Authorize-conf/m-p/124309#M3788 <P>It seems if you edit the 'user' role, then inheritance also affects the 'admin' role.</P> <P>I removed all the permissions from the user role, which then locked my admin role.</P> Tue, 16 Sep 2014 00:44:38 GMT jdbtee 2014-09-16T00:44:38Z https://community.splunk.com/t5/Security/Admin-Down-Restarting-Splunk-does-not-reload-Authorize-conf/m-p/124307#M3786 <P>Hi,</P> <P>I seem to have foobar'd my Admin account, resulting in the majority of the admin privileges not working through the UI:</P> <P>AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; <A href="https://127.0.0.1:8089/servicesNS/admin/launcher/data/modular-inputs?count=-1">https://127.0.0.1:8089/servicesNS/admin/launcher/data/modular-inputs?count=-1</A></P> <P>I have edited the \local\authorize to match that of the \default config and restarted Splunk via CLI, but this has not restored my previous admin privileges.</P> <P>C:\Program Files\Splunk\etc\system\local\authorize.conf as follows to reset:</P> <P>(a cut and copy from \default\authorize.conf)</P> <PRE><CODE>[role_admin] accelerate_datamodel = enabled admin_all_objects = enabled change_authentication = enabled edit_deployment_client = enabled list_deployment_client = enabled edit_deployment_server = enabled list_deployment_server = enabled edit_dist_peer = enabled edit_forwarders = enabled edit_httpauths = enabled edit_input_defaults = enabled edit_monitor = enabled edit_roles = enabled edit_scripted = enabled edit_search_server = enabled edit_server = enabled edit_splunktcp = enabled edit_splunktcp_ssl = enabled edit_tcp = enabled edit_udp = enabled edit_user = enabled edit_view_html = enabled edit_web_settings = enabled get_diag = enabled indexes_edit = enabled license_edit = enabled license_tab = enabled list_forwarders = enabled list_httpauths = enabled rest_apps_management = enabled restart_splunkd = enabled run_debug_commands = enabled # This enables the windows specific capabilities for admin edit_win_eventlogs = enabled edit_win_wmiconf = enabled edit_win_regmon = enabled edit_win_admon = enabled edit_win_perfmon = enabled list_win_localavailablelogs = enabled list_pdfserver = enabled write_pdfserver = enabled importRoles = power;user srchIndexesAllowed = *;_* srchIndexesDefault = main;os srchFilter = * srchTimeWin = 0 srchDiskQuota = 10000 srchJobsQuota = 50 rtSrchJobsQuota = 100 cumulativeSrchJobsQuota = 200 cumulativeRTSrchJobsQuota = 400 </CODE></PRE> Mon, 15 Sep 2014 16:46:13 GMT https://community.splunk.com/t5/Security/Admin-Down-Restarting-Splunk-does-not-reload-Authorize-conf/m-p/124307#M3786 jdbtee 2014-09-15T16:46:13Z https://community.splunk.com/t5/Security/Admin-Down-Restarting-Splunk-does-not-reload-Authorize-conf/m-p/124308#M3787 <P>I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.</P> <P>Restart and relax...</P> Tue, 16 Sep 2014 00:44:37 GMT https://community.splunk.com/t5/Security/Admin-Down-Restarting-Splunk-does-not-reload-Authorize-conf/m-p/124308#M3787 jdbtee 2014-09-16T00:44:37Z https://community.splunk.com/t5/Security/Admin-Down-Restarting-Splunk-does-not-reload-Authorize-conf/m-p/124309#M3788 <P>It seems if you edit the 'user' role, then inheritance also affects the 'admin' role.</P> <P>I removed all the permissions from the user role, which then locked my admin role.</P> Tue, 16 Sep 2014 00:44:38 GMT https://community.splunk.com/t5/Security/Admin-Down-Restarting-Splunk-does-not-reload-Authorize-conf/m-p/124309#M3788 jdbtee 2014-09-16T00:44:38Z