Security

Permissions to change the role of admin users in Splunk Console

splunkceh
Engager

I am an admin user in the Splunk console on prem, and I was going to update the roles of certain admin users from admin down to power.   The issue is that whenever I attempt to do this  it silently fails.  I click save and all is well but when I refresh the console they are still admin.  

We are authenticating with our AD accounts.   I am able to change the Role capabilities, but when I attempt to downgrade a user from admin to power there is not even an error message with feedback saying what happened to the operation.   

Any ideas?

Labels (2)
0 Karma
1 Solution

anilchaithu
Builder

@splunkceh 

How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.

The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.

 

authentication.conf
admin = ADGroup1;ADGroup2

 

Lets say if the users are in ADGroup2, then you have to assign a different role the group like below

authentication.conf
admin = ADGroup1
user = ADGroup2

 

UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings

 

If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group

 

If this helps, upvote would be appreciated.

 

 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @splunkceh ,

to change the role of an user, when using the LDAP authentication, you have to move it in a different AD group outside Splunk.

In Splunk you can only associate a role to an AD Group, not move users from groups or change role to an user.

Ciao.

Giuseppe

anilchaithu
Builder

@splunkceh 

How did you setup authentication? Since you have mentioned AD account I am assuming LDAP (OR) SAML.

The auth model works by mapping AD groups to a role. You need to remove the mapping between the users AD group and admin role. you can do it by either remove the mapping from UI OR back-end authentication.conf file.

 

authentication.conf
admin = ADGroup1;ADGroup2

 

Lets say if the users are in ADGroup2, then you have to assign a different role the group like below

authentication.conf
admin = ADGroup1
user = ADGroup2

 

UI:
settings -> authentication methods -> LDAP (OR) SAML -> select strategy (if LDAP) -> change mappings

 

If these users are part of the same user group as yours, then either you have to create a new AD group for admin role OR remove the users from this AD Group

 

If this helps, upvote would be appreciated.

 

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...