Security

New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

woodcock
Esteemed Legend

I am adding a new role to allow analysts to access the Monitoring Console. I believe that the minimum set of capabilities for this to be these:

[role_moncon_user]
# ==== Capabilities   ====
dispatch_rest_to_indexers = enabled
list_accelerate_search = enabled
list_app_certs = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_forwarders = enabled
list_health = enabled
list_httpauths = enabled
list_indexer_cluster = enabled
list_indexerdiscovery = enabled
list_inputs = enabled
list_introspection = enabled
list_metrics_catalog = enabled
list_pipeline_sets = enabled
list_search_head_clustering = enabled
list_search_scheduler = enabled
list_settings = enabled
list_storage_passwords = enabled
list_tokens_all = enabled
list_tokens_own = enabled
list_workload_pools = enabled
list_workload_rules = enabled
# ==== Index Values   ====
srchIndexesAllowed = *;_*

I added this to authorize.conf file in the client_all_search_base app and restarted Splunk; so far, so good. However when I try to assign this moncon_user role to anybody, after clicking Save it fails with Role=moncon_user is not grantable. I figured that I would be able to brute-force it in by manually adding it to a user in the $SPLUNK_HOME/etc/passwd file but all that did was cause splunk to disable that user completely (it doesn't even show in the GUI at all after that).

What is really happening and how can I get this to work?

Labels (1)
1 Solution

woodcock
Esteemed Legend

It turns out that I had this setting in authorize.conf in a base_config app for search heads:

[role_admin]
grantableRoles = admin

I am not sure how it got there or what it was supposed to accomplish but when I removed this, my new role became grantable to every user and role.

View solution in original post

woodcock
Esteemed Legend

It turns out that I had this setting in authorize.conf in a base_config app for search heads:

[role_admin]
grantableRoles = admin

I am not sure how it got there or what it was supposed to accomplish but when I removed this, my new role became grantable to every user and role.

gcusello
SplunkTrust
SplunkTrust

Hi @woodcock,

how can I apply your solution to a Search Head Cluster?

Ciao.

Giuseppe

0 Karma

amankhan1
Path Finder

Thanks @woodcock this solved my problem 

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

In authorize.conf check if setting grantableRoles is set to the role of the user you logged in to add new user.

If you are using admin and admin role is edited then grantableRoles is set to admin for admin role. You can remove this or add new role to grantableRoles.

[role_admin]
grantableRoles = admin
0 Karma

sumanssah
Communicator

To add and edit roles/capabilities I assume authorize.conf would be the correct file.

Please refer this Splunk doc
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Addandeditroleswithauthorizeconf

As per document

After you make changes to authentication.conf, you must refresh the authentication scheme to have the changes take effect. You can do this with either Splunk Web or the CLI. Refreshing the authentication scheme does not log users off of the system.

Refresh the authentication scheme using Splunk Web
From the system bar, click Settings > Authentication Methods.

Use the CLI command ./splunk reload auth:
./splunk reload auth

0 Karma

woodcock
Esteemed Legend

No, no, no. I have restarted Splunk to no effect. That us not the problem. I am way beyond what is mentioned in this answer.

anmolpatel
Builder

I added the above capabilities to a new authorize.conf file and then created a new user assigning the moncon_user role. I had no issues.

I'm using Splunk 7.3.4

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...