Security

Splunk Role Management - Disabling Roles in authorize.conf

brdr
Contributor

We are using v8.0.4 of Splunk Enterpise. In our authorize.conf I see roles are disabled. Examples:

[role_sec_power_user]
disabled = true

[role_sec_admin_user]
disabled = true

[role_idx_data_user]
disabled = true

I've looked through the spec file for authorize.conf and no where do I see the option to disable a role. Further, I don't see an option in the GUI to disable roles.

Question: Is it possible to disable a role using this syntax above?

Thanks

Labels (1)
0 Karma
1 Solution

shivanshu1593
Builder

You cannot disable a role, but you can add or delete them. If you want to get rid of the roles completely, you can do either of the following:

1. From GUI, Under roles, click delete.

2. In authorize.conf, remove the stanza and either reload the auth from $SPLUNK_HOME/bin, using ./splunk reload auth or reload Splunkd.

 

If you want to keep the roles around, you can do this as an alternative to disable.

1. Comment/hash out the entire stanza of the role like the following and either reload the auth using the command mentioned above or restart splunkd. Hashing out tells Splunk not to read the stanza, which id equivalent to disabled in your case.

#[Your_role]
#rtsearch = enabled
#importRoles = user
#srchFilter = host=foo
#srchIndexesAllowed = *
#srchIndexesDefault = mail;main
#srchJobsQuota   = 8
#rtSrchJobsQuota = 8
#srchDiskQuota   = 500

Hope this helps,

S.

Note: If it helped, please mark it as a accepted. It helps others with the same issue to reach the solution quickly.

 

 

 

 

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

shivanshu1593
Builder

You cannot disable a role, but you can add or delete them. If you want to get rid of the roles completely, you can do either of the following:

1. From GUI, Under roles, click delete.

2. In authorize.conf, remove the stanza and either reload the auth from $SPLUNK_HOME/bin, using ./splunk reload auth or reload Splunkd.

 

If you want to keep the roles around, you can do this as an alternative to disable.

1. Comment/hash out the entire stanza of the role like the following and either reload the auth using the command mentioned above or restart splunkd. Hashing out tells Splunk not to read the stanza, which id equivalent to disabled in your case.

#[Your_role]
#rtsearch = enabled
#importRoles = user
#srchFilter = host=foo
#srchIndexesAllowed = *
#srchIndexesDefault = mail;main
#srchJobsQuota   = 8
#rtSrchJobsQuota = 8
#srchDiskQuota   = 500

Hope this helps,

S.

Note: If it helped, please mark it as a accepted. It helps others with the same issue to reach the solution quickly.

 

 

 

 

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

brdr
Contributor

Perfect, thank you @shivanshu1593 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...