Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Admin Down! Restarting Splunk does not reload Auth...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I seem to have foobar'd my Admin account, resulting in the majority of the admin privileges not working through the UI:
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/admin/launcher/data/modular-inputs?count=-1
I have edited the \local\authorize to match that of the \default config and restarted Splunk via CLI, but this has not restored my previous admin privileges.
C:\Program Files\Splunk\etc\system\local\authorize.conf as follows to reset:
(a cut and copy from \default\authorize.conf)
[role_admin]
accelerate_datamodel = enabled
admin_all_objects = enabled
change_authentication = enabled
edit_deployment_client = enabled
list_deployment_client = enabled
edit_deployment_server = enabled
list_deployment_server = enabled
edit_dist_peer = enabled
edit_forwarders = enabled
edit_httpauths = enabled
edit_input_defaults = enabled
edit_monitor = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_server = enabled
edit_server = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_tcp = enabled
edit_udp = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
get_diag = enabled
indexes_edit = enabled
license_edit = enabled
license_tab = enabled
list_forwarders = enabled
list_httpauths = enabled
rest_apps_management = enabled
restart_splunkd = enabled
run_debug_commands = enabled
# This enables the windows specific capabilities for admin
edit_win_eventlogs = enabled
edit_win_wmiconf = enabled
edit_win_regmon = enabled
edit_win_admon = enabled
edit_win_perfmon = enabled
list_win_localavailablelogs = enabled
list_pdfserver = enabled
write_pdfserver = enabled
importRoles = power;user
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os
srchFilter = *
srchTimeWin = 0
srchDiskQuota = 10000
srchJobsQuota = 50
rtSrchJobsQuota = 100
cumulativeSrchJobsQuota = 200
cumulativeRTSrchJobsQuota = 400
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.
Restart and relax...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.
Restart and relax...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems if you edit the 'user' role, then inheritance also affects the 'admin' role.
I removed all the permissions from the user role, which then locked my admin role.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
