Security

How do I migrate knowledge objects from internal/local user to SAML user?

Splunk Employee
Splunk Employee

I am looking for a little more information on how to transfer ownership of existing items (dashboards, reports, alerts, etc) owned by internal users to the new saml users?

0 Karma

Influencer

In recent versions of Splunk you can use the re-asignment page.

Settings -> All Configurations -> Reassign Knowledge Objects

Use the menus and filter to narrow your search.

0 Karma

Contributor

Unfortunately, I just discovered that,
1. There is a known bug which prevents you from seeing the macros
2. This method only works for public knowledge objects, not private if the user no longer has access.
In that case, as indicated in the doc, you will have to temporarily recreate the user.

Also note that this behavior is observed in search head clusters.

0 Karma

Influencer

All true statements. For this situation, I cobbled together a bash script to hit up all meta files and use sed to replace olduser with newuser, then move the olduser directory from $splunk/etc/users to a safe place for backup. You'll then need to clear search history for the user cuz for some reasons the scheduler will see that and try to auth non-existent users. Finally, restart splunk.

The search history clean:

echo removing $ORIGOWNER from SavedSearchHistory collection cuz bug SPL-134750
for sid in `splunk _internal call /servicesNS/nobody/system/storage/collections/data/SavedSearchHistory/ \
| grep $ORIG
OWNER | cut -d'"' -f 4 | xxd -plain | tr -d '\n' | sed 's/(..)/%\1/g' | sed -e 's/%0a/\n/g'`
do
splunk _internal call /servicesNS/nobody/system/storage/collections/data/SavedSearchHistory/$sid -method DELETE
done

EDIT: Well that was clobbered. hopefully decipherable

Builder

Hi @hthairu, we need some more info:

  1. Have the SAML users already logged in? (ie. Are their accounts already in splunk)
  2. Do you run a search head cluster or are they standalone search heads.
0 Karma

Motivator
0 Karma

Builder

Hi @deepashri, this will only work if the SAML user has logged in already.

0 Karma