IT Operations Discussions
All the up-time. All the nines.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Analytics ‘You do not have permissions to access objects of user=’ and inability to toggle certain flags

splunkceh
Engager
‎08-27-2020 08:11 AM

Two symptoms have been happening for some time and none of us know why or how this happened.  The 2 symptoms are the following:

  1. At some point recently our Splunk LDAP admin credentials stopped being able to toggle the certain flags. This happens when I attempt to toggle things like:

 

Disable | Enable Receiving Port 9997 (although we can all toggle receiving port 9998

 

  1. When navigating to Search & Reporting and clicking on Analytics tab we all receive the error “You do not have permissions to access objects of user=(the Splunk account actually logged in(our LDAP accounts))”

 

These are disturbing symptoms and I have been weeks on a support ticket to try to figure this out.  It makes everything suspect because If we do something in the console and permissions are not propagating or we install an app and it doesn’t install properly, then there are bigger problems that propagate because of this.

 

We have already verified that we are in the Splunk AD groups for admin that we set up and also that that group has local admin rights on the server.

 

Fixing these 2 issues and understanding what caused it will go a long way trusting that things are right in our instance again.

 

There is nothing that is very telling in the logs (they are all on Warn level).  

Have any of you heard of these symptoms happening or have experience with this.

What could be happening and what is a good course for hunting down the root cause?

0 Karma

apietersen
Contributor
‎03-11-2021 06:41 AM

Hi Ashley,

Reply form Splunk Support:

According to the engineering department, the fix will be released in Splunk 8.1.3. Let me know if it worked for you.

Regards

0 Karma

apietersen
Contributor
‎09-14-2020 01:53 PM

hi  splunkcech,

I have created recently several support tickets that  (in my opinion) could be related to user/use-rules that gave me this impression. But might be also related to our recent migration from 2012 R2 to Windows 2019 server.  No final conclusion to be made. But I never had this kind of issues before while upgrading to a newer version. Although user/user-roles are always a mystery for me. 

So, i can not produce a direct reference to a post earlier. I have the feeling, ie based on the "what is new"  info,  that some (major security changes under the hood) - unknow or unnoticed by me-  and legacy configs of earlier version etc, might be the cause of this.

ie @ v.806 that using the "sendemail" function needs to have explicit the  "admin_all-Object" activated.  What the impact is I really have a no clue, neither for me as admin or our other regular users with standard user-role.

logging in as admin, selecting "Analytics" and receiving the message: "You do not have permissions to access objects of user=admin’ makes me a kind of nervous not sure my instance is working correctly
And leaves me a bit confused and uncertain related to overall user security. Nb. I f you want further info about this or my recent tickets please send me a private note, because I might be wrong altogether. And thanks for your response 🙂

kind regards Ashley Pietersen

0 Karma

apietersen
Contributor
‎09-14-2020 12:41 PM

Hi,
Same here, I am struggling since version 8.0.5x  / and a migration to w2019 server. I have problems that seems to be related (i Tink) with user & roles and permission. I am now on version 8.0.6 which was mentioned this problem as been addressed/solved, but is still happening ??

kind regards AP

splunkceh
Engager
‎09-14-2020 01:11 PM

Thank you for responding to this.  Can you please post a link that references that this is a known issue?  I have not found that.   Also support reps did not seem aware of this when on calls related to this issue.  

0 Karma

ialvarez_splunk
Splunk Employee
Splunk Employee
‎02-22-2021 09:28 AM

I've seen this before, the issue was that there was some configuration in system/local/restmap.conf, Something like this:

admin:server-info]
requireAuthentication = false

[admin:server-info-alias]
requireAuthentication = false

We removed the configuration and it worked.

0 Karma

apietersen
Contributor
‎02-22-2021 09:46 AM

Thanks ialvarez_splunk,

I will  certainly try an let you know.

As earlier said in my earlier support tickets, yes we migrated to a Windows 2019, last year, as was a Splunk mandatory (before w2012)R2 , I build a fresh test Splunk instance with same Win2019 server, but still have the same issues as our production instance.

let you know

Ashley Pietersen

 

0 Karma

apietersen
Contributor
‎02-22-2021 09:51 AM

just checked it on our test instance: no restmap.conf file found ?!

0 Karma

apietersen
Contributor
‎03-03-2021 12:30 AM

update from splunk support:

-=-=-=-=
I hope you are doing well. I was reviewing the know issues list and I found the issue number SPL-138647, See the link below for more information.

https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/KnownIssues

Let me know if it worked for you.

-=-=-=-=

unfortunately no success yet

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...