Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Splunk Role Management - Disabling Roles in author...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using v8.0.4 of Splunk Enterpise. In our authorize.conf I see roles are disabled. Examples:
[role_sec_power_user]
disabled = true
[role_sec_admin_user]
disabled = true
[role_idx_data_user]
disabled = true
I've looked through the spec file for authorize.conf and no where do I see the option to disable a role. Further, I don't see an option in the GUI to disable roles.
Question: Is it possible to disable a role using this syntax above?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot disable a role, but you can add or delete them. If you want to get rid of the roles completely, you can do either of the following:
1. From GUI, Under roles, click delete.
2. In authorize.conf, remove the stanza and either reload the auth from $SPLUNK_HOME/bin, using ./splunk reload auth or reload Splunkd.
If you want to keep the roles around, you can do this as an alternative to disable.
1. Comment/hash out the entire stanza of the role like the following and either reload the auth using the command mentioned above or restart splunkd. Hashing out tells Splunk not to read the stanza, which id equivalent to disabled in your case.
#[Your_role] #rtsearch = enabled #importRoles = user #srchFilter = host=foo #srchIndexesAllowed = * #srchIndexesDefault = mail;main #srchJobsQuota = 8 #rtSrchJobsQuota = 8 #srchDiskQuota = 500
Hope this helps,
S.
Note: If it helped, please mark it as a accepted. It helps others with the same issue to reach the solution quickly.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot disable a role, but you can add or delete them. If you want to get rid of the roles completely, you can do either of the following:
1. From GUI, Under roles, click delete.
2. In authorize.conf, remove the stanza and either reload the auth from $SPLUNK_HOME/bin, using ./splunk reload auth or reload Splunkd.
If you want to keep the roles around, you can do this as an alternative to disable.
1. Comment/hash out the entire stanza of the role like the following and either reload the auth using the command mentioned above or restart splunkd. Hashing out tells Splunk not to read the stanza, which id equivalent to disabled in your case.
#[Your_role] #rtsearch = enabled #importRoles = user #srchFilter = host=foo #srchIndexesAllowed = * #srchIndexesDefault = mail;main #srchJobsQuota = 8 #rtSrchJobsQuota = 8 #srchDiskQuota = 500
Hope this helps,
S.
Note: If it helped, please mark it as a accepted. It helps others with the same issue to reach the solution quickly.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect, thank you @shivanshu1593
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
