Security

Permissions to change the role of admin users in Splunk Console

splunkceh
Engager

I am an admin user in the Splunk console on prem, and I was going to update the roles of certain admin users from admin down to power.   The issue is that whenever I attempt to do this  it silently fails.  I click save and all is well but when I refresh the console they are still admin.  

We are authenticating with our AD accounts.   I am able to change the Role capabilities, but when I attempt to downgrade a user from admin to power there is not even an error message with feedback saying what happened to the operation.   

Any ideas?

Labels (2)
0 Karma
1 Solution

anilchaithu
Builder

@splunkceh 

How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.

The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.

 

authentication.conf
admin = ADGroup1;ADGroup2

 

Lets say if the users are in ADGroup2, then you have to assign a different role the group like below

authentication.conf
admin = ADGroup1
user = ADGroup2

 

UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings

 

If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group

 

If this helps, upvote would be appreciated.

 

 

View solution in original post

gcusello
Legend

Hi @splunkceh ,

to change the role of an user, when using the LDAP authentication, you have to move it in a different AD group outside Splunk.

In Splunk you can only associate a role to an AD Group, not move users from groups or change role to an user.

Ciao.

Giuseppe

anilchaithu
Builder

@splunkceh 

How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.

The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.

 

authentication.conf
admin = ADGroup1;ADGroup2

 

Lets say if the users are in ADGroup2, then you have to assign a different role the group like below

authentication.conf
admin = ADGroup1
user = ADGroup2

 

UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings

 

If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group

 

If this helps, upvote would be appreciated.

 

 

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...