Security

Accidentally Removed the admin role, now my admin account won't work.

drewrogers
Engager

While trying to create another admin role, somehow I removed all the capabilities from the original admin role. Now I cannot do anything as admin.

Is there anything I can do as root on the splunk server?

0 Karma
1 Solution

drewrogers
Engager

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

View solution in original post

0 Karma

drewrogers
Engager

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Surely you meant authorize.conf... 🙂 That's the correct place to do it, under [role_admin] stanza. Probably had a bunch of rows with "disabled" in it. Nice recovery! 🙂

jluo_splunk
Splunk Employee
Splunk Employee

Are you on a production instance with others users? Are there users that are brought in through native authentication (not using LDAP, SAML, etc)?

If this is just a test/personal instance, you can remove the passwd file in SPLUNK_HOME/etc and restart splunk. this will recreate an admin under the default login (admin//changeme), but it will also remove all user accounts associated with that splunk instance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...