Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

ERROR UserManagerPro - user="system" had no roles

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:48 AM

After 7.0.2 upgrade from 6.6.4 I'm seeing thousands of these errors in our search cluster and after looking at this for several hours, I cannot determine the source/cause of the ERROR. Using SAML authentication.

03-28-2018 23:36:14.446 +0000 ERROR UserManagerPro - user="system" had no roles

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

0 Karma
Reply
Solved! Jump to solution

ischoenmaker
Explorer
‎09-26-2018 08:59 AM

For everyone who (like me) is wondering if and in which release this was fixed:
This was registered as issue SPL-154405/SPL-147319: SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log
Resolved in Splunk 7.0.5
http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎03-30-2018 10:54 AM

Hey@sylim,

Check the following:
There might be some deprecated parameters in authentication.conf file.
Check this kind of errors in splunkd.log:
"WARN SSLOptions - authentication.conf/[saml]/sslKeysfilePassword: deprecated; use 'sslPassword' instead
WARN SSLOptions - authentication.conf/[saml]/sslKeysfile: deprecated; use 'clientCert' instead"
And apply these changes.

Let me know if this helps!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...