- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Permissions to change the role of admin users in S...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am an admin user in the Splunk console on prem, and I was going to update the roles of certain admin users from admin down to power. The issue is that whenever I attempt to do this it silently fails. I click save and all is well but when I refresh the console they are still admin.
We are authenticating with our AD accounts. I am able to change the Role capabilities, but when I attempt to downgrade a user from admin to power there is not even an error message with feedback saying what happened to the operation.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.
The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.
authentication.conf
admin = ADGroup1;ADGroup2
Lets say if the users are in ADGroup2, then you have to assign a different role the group like below
authentication.conf
admin = ADGroup1
user = ADGroup2
UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings
If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group
If this helps, upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @splunkceh ,
to change the role of an user, when using the LDAP authentication, you have to move it in a different AD group outside Splunk.
In Splunk you can only associate a role to an AD Group, not move users from groups or change role to an user.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.
The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.
authentication.conf
admin = ADGroup1;ADGroup2
Lets say if the users are in ADGroup2, then you have to assign a different role the group like below
authentication.conf
admin = ADGroup1
user = ADGroup2
UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings
If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group
If this helps, upvote would be appreciated.
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
Enterprise Security Content Update (ESCU) | New Releases
