Getting Data In

Cannot view users with "can_delete" role

hunderliggur
Path Finder

If I (as a user with admin role) assign the "can_delete" role to another admin role user, I can no longer see that user in the Settings > Access Controls > Users view. That user also does not show up in a rest call for the list of all users

| rest /services/authentication/users/ splunk_server=local

However, I CAN query on the missing user and get all of the information:

| rest /services/authentication/users/mysteryuserid splunk_server=local

I have tried removing the edit_roles_grantable capability but it does not change the results.

This issue causes a program we use to manage users and roles to fail since it does not see an existing user with "can_delete" role and then tries to create a new user when the user already exists.

Splunk Enterprise 7.2.1. This was not the case in Splunk Enterprise 6.6.3.

1 Solution

hunderliggur
Path Finder

I resolved my own problem. Comparing our two customer deployments and our in-house deployment I found that the instance with the visibility issues was caused by an edit in ./etc/system/local/authorize.conf. In the admin stanza we had:

[role_admin]
...
grantableRoles = admin
...

I removed the grantableRoles restriction and all is working now.

Weird effects

View solution in original post

hunderliggur
Path Finder

I resolved my own problem. Comparing our two customer deployments and our in-house deployment I found that the instance with the visibility issues was caused by an edit in ./etc/system/local/authorize.conf. In the admin stanza we had:

[role_admin]
...
grantableRoles = admin
...

I removed the grantableRoles restriction and all is working now.

Weird effects

nick405060
Motivator

This is absolutely nuts. I had the same issue. My admin account couldn't see any of the other admin accounts??? I understand the explanation in the above comment, but HOW on earth was this flag set without me knowing about it? This definitely needs to be fixed.... simple permissions changes in Splunk web should NOT secretly somehow set this flag to true.

Absolutely unforgivable in my opinion.

EDIT: Figured out how the flag was set and I can reproduce. In Splunk web, I added a default app for the admin role (simply the launcher) and that ALSO sets "grantableRoles = admin" for the admin role. This is not okay whatsoever. So in 7.2 if you edit the default app for a role, a byproduct of that action is making it so all other users with that role are invisible??? Lmao

0 Karma

nick405060
Motivator

the bug may exist only for default roles. i can recreate it by editing the default app for the admin role, but editing the default app for a role that i defined (called testuser_management) does not add grantableRoles.

0 Karma

hunderliggur
Path Finder

Nick - Thanks for finding out how this happened. I had a contact on another Splunk team that ran into the same problem.

0 Karma

nick405060
Motivator

sweet. submitted a bug report via support portal

0 Karma

hunderliggur
Path Finder

This note showed up in the Admin Manual with version 7.2.0:

grantableRoles =
* Semicolon delimited list of roles that can be granted when edit_user
capability is present.
* By default, a role with 'edit_user' capability can create/edit a user and
assign any role to them. Roles assigned to users can be restricted by assigning
'edit_grantable_role' capability and specifying the roles in 'grantableRoles'.
When you set grantableRoles, the roles that can be assigned will be
restricted to the ones whose capabilities are a proper subset of those in the
roles provided.
* For a role that has no edit_user capability, grantableRoles has no effect.
**** NOTE: A role that has been assigned 'grantableRoles' can list only the users
whose capabilities are a subset of all capabilities of the roles assigned to
'grantableRoles'.***

The values for [role_admin] in default have edit_roles_grantable = enabled but no entry for grantableRoles.

ellothere
Explorer

Hi hunderliggur!

My full installation of Splunk 7.2.3 (Ubuntu 16.04) did not have this problem. I did try using Docker Splunk to try version 7.2.1 and could not reproduce the problem there either.

Reading through the patch notes, I wonder if SPL-129285 could be related. "The search scheduler (SavedSplunker) has scaling problems with high disabled user count and external auth systems (SAML & LDAP)".

Best of luck!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...