Security

How to put a user in two different roles with conflicting index access?

Motivator

I have role #1 that can access a set of apps with limited index access.
I have role #2 that can access different apps with all external index access.
I have a user that would like both roles, but when he logs in he, only sees the apps for Role #2 and not the apps for Role #1.

Role #2 has access to all the external indexes which is fine, but Role #2 does not have access to the apps for Role #1. This was done to keep the apps off the apps menu as the personnel in Role #2 does not need to use these apps and the apps tab was too busy for them. This one person is a dual hat and needs both roles.

Any suggestion on how I can accommodate this one person without creating a separate role just for them?

Thanks in advance for any help.

0 Karma

Communicator

I am currently troubleshooting a similar scenario.
But in our case, it seems it's the LDAP Strategy that matters.

A user gets roles from two different AD groups, that are found through two different LDAP strategies.
Unfortunately (but naturally), Splunk stops looking after the first match.

0 Karma

Influencer

It's not clear to me but did you add the user to both roles?

In pure RBAC fashion, There is no explicit deny permission in Splunk for apps and Knowledge objects, so role permissions from multiple assigned roles are additive.

If they are not, this is a bug worthy of a support case. But if you're using external (LDAP or Scripted) auth, have the user execute |rest /services/authentication/current-context And double check if they are indeed assigned to multiple roles. With LDAP auth, I've seen it where if the user logs in too quickly after a change to AD, sometimes the new role doesn't take effect yet as the change didn't propagate to all servers yet. Scripted auth could also have bugs where only one role is being returned.

After double checking that both roles are active, you could try and see if the user can open by direct URL an app that they cannot see but should have access to. That would point to a bug in the launcher app.

Motivator

Thank you @acharlieh I just used the rest search you gave me. It seems that the cumulative permissions did take affect for the app and the user does have access to the apps for both roles.

The problem is the index's that the roles can search are restricted to the common set of indexes. If the index is not in both roles the user can not search the index. One role has all external indexes and one role has a limited set of indexes. The user with both roles can only search the limited set of indexes.

Any suggestions would be helpful.

0 Karma

Communicator

I was thinking some of the same: if there is a search filter on one of the roles, that would mess things up. (I know from experience 🙂 )

0 Karma

Influencer

Again, index permissions should be additive.

I'm assuming you're managing the indexes that each role is allowed to search using the boxes at the very bottom of the role editor labeled "Indexes"? (or using the srchIndexesAllowed attribute in authorize.conf )? You're not looking at the second from the bottom labeled "Indexes searched by default" ( srchIndexesDefault ), You're not using role search filters and your test of what the user is allowed to search you're using a search that explicitly lists indexes to search something like | tstats count where index=* OR index=_* by index

0 Karma