topic Re: Cannot view users with "can_delete" role in Getting Data In

Cannot view users with "can_delete" role

hunderliggur — Tue, 29 Sep 2020 22:56:37 GMT

If I (as a user with admin role) assign the "can_delete" role to another admin role user, I can no longer see that user in the Settings > Access Controls > Users view. That user also does not show up in a rest call for the list of all users

| rest /services/authentication/users/ splunk_server=local

However, I CAN query on the missing user and get all of the information:

| rest /services/authentication/users/mysteryuserid splunk_server=local

I have tried removing the edit_roles_grantable capability but it does not change the results.

This issue causes a program we use to manage users and roles to fail since it does not see an existing user with "can_delete" role and then tries to create a new user when the user already exists.

Splunk Enterprise 7.2.1. This was not the case in Splunk Enterprise 6.6.3.

Re: Cannot view users with "can_delete" role

ellothere — Thu, 24 Jan 2019 15:30:36 GMT

Hi hunderliggur!

My full installation of Splunk 7.2.3 (Ubuntu 16.04) did not have this problem. I did try using Docker Splunk to try version 7.2.1 and could not reproduce the problem there either.

Reading through the patch notes, I wonder if SPL-129285 could be related. "The search scheduler (SavedSplunker) has scaling problems with high disabled user count and external auth systems (SAML & LDAP)".

Best of luck!

Re: Cannot view users with "can_delete" role

hunderliggur — Thu, 24 Jan 2019 18:07:30 GMT

I resolved my own problem. Comparing our two customer deployments and our in-house deployment I found that the instance with the visibility issues was caused by an edit in ./etc/system/local/authorize.conf. In the admin stanza we had:

[role_admin]
...
grantableRoles = admin
...

I removed the grantableRoles restriction and all is working now.

Weird effects

Re: Cannot view users with "can_delete" role

hunderliggur — Tue, 29 Sep 2020 22:56:04 GMT

This note showed up in the Admin Manual with version 7.2.0:

grantableRoles =
* Semicolon delimited list of roles that can be granted when edit_user
capability is present.
* By default, a role with 'edit_user' capability can create/edit a user and
assign any role to them. Roles assigned to users can be restricted by assigning
'edit_grantable_role' capability and specifying the roles in 'grantableRoles'.
When you set grantableRoles, the roles that can be assigned will be
restricted to the ones whose capabilities are a proper subset of those in the
roles provided.
* For a role that has no edit_user capability, grantableRoles has no effect.
**** NOTE: A role that has been assigned 'grantableRoles' can list only the users
whose capabilities are a subset of all capabilities of the roles assigned to
'grantableRoles'.***

The values for [role_admin] in default have edit_roles_grantable = enabled but no entry for grantableRoles.

Re: Cannot view users with "can_delete" role

nick405060 — Wed, 13 Feb 2019 21:24:47 GMT

This is absolutely nuts. I had the same issue. My admin account couldn't see any of the other admin accounts??? I understand the explanation in the above comment, but HOW on earth was this flag set without me knowing about it? This definitely needs to be fixed.... simple permissions changes in Splunk web should NOT secretly somehow set this flag to true.

Absolutely unforgivable in my opinion.

EDIT: Figured out how the flag was set and I can reproduce. In Splunk web, I added a default app for the admin role (simply the launcher) and that ALSO sets "grantableRoles = admin" for the admin role. This is not okay whatsoever. So in 7.2 if you edit the default app for a role, a byproduct of that action is making it so all other users with that role are invisible??? Lmao

Re: Cannot view users with "can_delete" role

hunderliggur — Wed, 13 Feb 2019 21:49:43 GMT

Nick - Thanks for finding out how this happened. I had a contact on another Splunk team that ran into the same problem.

Re: Cannot view users with "can_delete" role

nick405060 — Wed, 13 Feb 2019 21:55:18 GMT

the bug may exist only for default roles. i can recreate it by editing the default app for the admin role, but editing the default app for a role that i defined (called testuser_management) does not add grantableRoles.

Re: Cannot view users with "can_delete" role

nick405060 — Wed, 13 Feb 2019 22:43:11 GMT

sweet. submitted a bug report via support portal