Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Cloud SAML Auth Admins Unable to Edit User Roles

jbeach
Explorer
‎03-07-2025 08:42 AM

Splunk Cloud had an update this past Sunday, 3 Mar 2025. Since then, admins are unable to change a user's role. Is this a bug?

We use the Chargeback App, and have it configured to use user roles to delineate charges per team.  

Labels (2)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-07-2025 09:03 AM

Hi @jbeach 

In the title you mention SAML Auth - Are your users using SAML to login to Splunk Cloud, if so the role mappings for them should be managed by the authentication provider. Its possible that a change was made to prevent admins from trying to manually change these role mappings, as they are overwritten when a user logs in to Splunk Cloud.

One thing you could check is if you're able to modify the role of any non-SAML based users to rule out other issues.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

jbeach
Explorer
‎03-07-2025 09:14 AM

@livehybrid 

I checked the non-SAML users and I can edit them. 

I am waiting on our Splunk Engineer to answer internally, but I think your answer is most plausible. Unfortunate, but plausible. 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-07-2025 09:31 AM

Ive had a look through a bunch of the release notes for recent versions and there is no mention of a change in behaviour for this, or it listed as a bug fix, but again, that doesnt mean it has not been changed!

For the customers I have setup SAML for I've always had make a point of telling them to manage the access via the IdP. Also, dont forget that users wont automatically be deleted if they're removed from the IdP unless authentication extensions is configured. Anyway..back to the issue! Please let us know how you get on. 

Glad to hear people using the chargeback app, I used it a couple of years ago and whilst it took a bit of setting up, it was great once in place!

Good luck 🙂

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-07-2025 09:02 AM

@jbeach 

Did you review this? I don't see any known issues related to your concern.

https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/ReleaseNotes/Issues 

I kindly ask you to submit a Splunk Support ticket.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

jbeach
Explorer
‎03-07-2025 09:16 AM

@kiran_panchavat 

Thank you. I have a request in to our Splunk Engineer. I am afraid they are going to tell me what @livehybrid said--that the roles must be mapped by the auth provider.

I did look at your link, and do not see anything related to my concern--as you stated.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...