If I (as a user with admin role) assign the "can_delete" role to another admin role user, I can no longer see that user in the Settings > Access Controls > Users view. That user also does not show up in a rest call for the list of all users
| rest /services/authentication/users/ splunk_server=local
However, I CAN query on the missing user and get all of the information:
| rest /services/authentication/users/mysteryuserid splunk_server=local
I have tried removing the editrolesgrantable capability but it does not change the results.
This issue causes a program we use to manage users and roles to fail since it does not see an existing user with "can_delete" role and then tries to create a new user when the user already exists.
Splunk Enterprise 7.2.1. This was not the case in Splunk Enterprise 6.6.3.
My full installation of Splunk 7.2.3 (Ubuntu 16.04) did not have this problem. I did try using Docker Splunk to try version 7.2.1 and could not reproduce the problem there either.
Reading through the patch notes, I wonder if SPL-129285 could be related. "The search scheduler (SavedSplunker) has scaling problems with high disabled user count and external auth systems (SAML & LDAP)".
Best of luck!
I resolved my own problem. Comparing our two customer deployments and our in-house deployment I found that the instance with the visibility issues was caused by an edit in ./etc/system/local/authorize.conf. In the admin stanza we had:
grantableRoles = admin
I removed the grantableRoles restriction and all is working now.
This note showed up in the Admin Manual with version 7.2.0:
* Semicolon delimited list of roles that can be granted when edituser
capability is present.
* By default, a role with 'edituser' capability can create/edit a user and
assign any role to them. Roles assigned to users can be restricted by assigning
'editgrantablerole' capability and specifying the roles in 'grantableRoles'.
When you set
grantableRoles, the roles that can be assigned will be
restricted to the ones whose capabilities are a proper subset of those in the
* For a role that has no edit_user capability, grantableRoles has no effect.
**** NOTE: A role that has been assigned 'grantableRoles' can list only the users
whose capabilities are a subset of all capabilities of the roles assigned to
The values for [roleadmin] in default have editroles_grantable = enabled but no entry for grantableRoles.
This is absolutely nuts. I had the same issue. My admin account couldn't see any of the other admin accounts??? I understand the explanation in the above comment, but HOW on earth was this flag set without me knowing about it? This definitely needs to be fixed.... simple permissions changes in Splunk web should NOT secretly somehow set this flag to true.
Absolutely unforgivable in my opinion.
EDIT: Figured out how the flag was set and I can reproduce. In Splunk web, I added a default app for the admin role (simply the launcher) and that ALSO sets "grantableRoles = admin" for the admin role. This is not okay whatsoever. So in 7.2 if you edit the default app for a role, a byproduct of that action is making it so all other users with that role are invisible??? Lmao
Nick - Thanks for finding out how this happened. I had a contact on another Splunk team that ran into the same problem.
the bug may exist only for default roles. i can recreate it by editing the default app for the admin role, but editing the default app for a role that i defined (called testuser_management) does not add grantableRoles.