Security

Permissions to change the role of admin users in Splunk Console

splunkceh
Engager

I am an admin user in the Splunk console on prem, and I was going to update the roles of certain admin users from admin down to power.   The issue is that whenever I attempt to do this  it silently fails.  I click save and all is well but when I refresh the console they are still admin.  

We are authenticating with our AD accounts.   I am able to change the Role capabilities, but when I attempt to downgrade a user from admin to power there is not even an error message with feedback saying what happened to the operation.   

Any ideas?

Labels (2)
0 Karma
1 Solution

anilchaithu
Builder

@splunkceh 

How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.

The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.

 

authentication.conf
admin = ADGroup1;ADGroup2

 

Lets say if the users are in ADGroup2, then you have to assign a different role the group like below

authentication.conf
admin = ADGroup1
user = ADGroup2

 

UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings

 

If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group

 

If this helps, upvote would be appreciated.

 

 

View solution in original post

gcusello
Esteemed Legend

Hi @splunkceh ,

to change the role of an user, when using the LDAP authentication, you have to move it in a different AD group outside Splunk.

In Splunk you can only associate a role to an AD Group, not move users from groups or change role to an user.

Ciao.

Giuseppe

anilchaithu
Builder

@splunkceh 

How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.

The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.

 

authentication.conf
admin = ADGroup1;ADGroup2

 

Lets say if the users are in ADGroup2, then you have to assign a different role the group like below

authentication.conf
admin = ADGroup1
user = ADGroup2

 

UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings

 

If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group

 

If this helps, upvote would be appreciated.

 

 

Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...