I've stumbled today on a strange thing. It started out with a case about user hitting quota limits. But when I dug into that deeper it turned out that the user doesn't show in the system.
It's not displayed in the UI, it doesn't show in the REST output of /services/authentication/users
But it is defined in etc/passwd so it can log in. And it has KOs created and assigned to it (most importantly in my case - scheduled searches). It has a role assigned in etc/passwd and it seems that that role is properly enforced (hence the quota limitations).
Anyone encountered such thing? How could such user have been "lost"?
i have had same situation on one client’s environment. The reason was that there was several inherited roles which has opposite capabilities set. Probably the best way to solve this is just comment out one inherited role one after one. They have LDAP authentication and authorization with configured both conf files in apps and directly with gui. I switched this to pure conf files in one app.
One app which could help you is https://splunkbase.splunk.com/app/4111. I just take some queries from it and modified those to get better understanding what they have defined.
Thanks for the hint! As far as I remember, this customer has single role per user but I'll see if other users with this role are visible (so far I focused on this single user).
I'll check it later and report the findings 🙂