Security

User missing roles.

emmdominguez
Observer

Hello

I have users who do not have all the roles they should be associated with appearing in the Access Control>>Users webpage. Example user foo is in three ldap groups (a, b, and c) which are bound to role_a, role_b, and role_c. When I search for user foo according to splunk this users roles are role_a and role_b. If I look at the map groups for ldap strategies associated to role_a, role_b and role_c user foo is a member of each.

When I click on user foo in Access Control>>Users, selected roles is greyed out , and role_c is not assigned to the user foo only role_a and role_b. How do I get splunk to assign role_c to user foo. I also have several other user who are only getting role_c assigned to them even though they are part of either role_a and/or role_b.

Thanks

Tags (1)
0 Karma

emmdominguez
Observer

I believe I have solved this issue. From my understanding you should have one ldap strategy per ldap server. I then limited the ldap strategy with group filters. Next I map each filter to its corresponding role. Now when I view my users I can see all the roles each user is part of.

I know I can have multiple ldap strategies for one ldap server, but is there a reason to this? How can I setup users to be able to view all the roles they belong to in a multiple ldap strategy environment when authenticating to one ldap server. Is this possible?

Thanks

0 Karma

lakshman239
Influencer

reload the LDAP auth mapping and check the mapping and re-map if it still shows errors. Also, pls check the contents in authorize.conf and authentication.conf to ensure your changes are reflected.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/SetupuserauthenticationwithLDAP

https://www.splunk.com/blog/2009/08/13/ldap-auth-configuration-tips.html

0 Karma

emmdominguez
Observer

Thank you I have visited those pages several times.
Adding to my question

Can one ldap server have multiple ldap strategies in splunk?

Additionally should I be able to see all the roles a user belongs to or just the role that was used to authenticate?

For example in Under Access controls>>Users, for user foo in the roles columns, should I see all the roles the user belongs to or just the role used for authentication. Having said that where then can I see all the roles a user belongs to?

Thanks

0 Karma

lakshman239
Influencer

splunk can accept multiple LDAP strategies [ for my use case, i have used only 1]

You should be able to see all the roles the user is assigned to/mapped to.

0 Karma

emmdominguez
Observer

I believe I have solved this issue. From my understanding you should have one ldap strategy per ldap server. I then limited the ldap strategy with group filters. Next I map each filter to its corresponding role. Now when I view my users I can see all the roles each user is part of.

I know I can have multiple ldap strategies for one ldap server, but is there a reason to this? How can I setup users to be able to view all the roles they belong to in a multiple ldap strategy environment when authenticating to one ldap server. Is this possible?

Thanks

0 Karma

lakshman239
Influencer

I believe when you define multiple strategies (need diff stanza), splunk loads them and checks in round robin to get all roles.

0 Karma

emmdominguez
Observer

Makes sense, that would explain why not all my users are where they need to be. Seems like one strategy is the way to go, if I want to see in real time all the roles my user belong to.
Thanks for all your help.

0 Karma

Vijeta
Influencer

How are the users assigned to splunk , is it probably being assigned through LDAP or SAML. You will have map roles to LDAP/SAML assignment groups in splunk. Mostly the assignment group from LDAP/SAML needs to be updated for those users.

0 Karma

emmdominguez
Observer

Hello

User are assigned to splunk with ldap. I have mapped the ldap groups to the ldap strategies and assigned those strategies to the corresponding roles. The user in question belongs to all three ldap groups but according to splunk the user is only assigned two of the three roles he should have access to.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...