We have almost 500 Splunk users in our organization (a mix of local and LDAP). About 200+ of our Splunk users are no longer appearing in the "User" tab under Access Control. A mix of both local users and LDAP users are not visible however they are still able to login to Splunk and use it without issues. Unfortunately I'm not able to administer their account through the GUI though.
We are using a search-head cluster on Splunk v7.3.2. I've already logged into each individual search-head and verified they are missing from all of them.
Any advice to point me in the right direction on how to solve this is greatly appreciated.
Yes. Here is the solution that worked for us:
Option 1:
In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:
edit_roles_grantable = enabled
grantableRoles = system_admin
These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.
It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.
NEXT STEPS
edit_roles_grantable = enabled
grantableRoles = admin
grantableRoles = admin
Restart Splunk on the SH
Login to the SH as an admin user and check if missing users are visible.
Hello, I am experiencing this issue as well with SAML and using Splunk 8.1.2. We have over 50+ users in SAML. THey are being mapped in authentication.conf to roles that do exist. When i run the rest call above it only shows me 20 users. These 20 users are also only showing up in the GUI. BUT when i run that rest command and add the username of someone who is missing, it returns results for that user.
I need some assistance here and i have a feeling that this may be a bug ticket. Does anyone have any information at all?
Yes. Here is the solution that worked for us:
Option 1:
In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:
edit_roles_grantable = enabled
grantableRoles = system_admin
These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.
It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.
NEXT STEPS
edit_roles_grantable = enabled
grantableRoles = admin
grantableRoles = admin
Restart Splunk on the SH
Login to the SH as an admin user and check if missing users are visible.
Check the rest api command below:
|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name
Or run the command through CLI, but I believe the rest api can give you a better output format
./splunk list user
username: admin
full-name: Administrator
role: admin
Using the rest api command I get a return result of 292 users. However, in the $SPLUNKHOME/etc/users directory there are 451 users listed. I'm missing about 159 users in the GUI.
We are getting same error, did you find an explanation of why a big chunk of users might be missing when pulling via REST API?