Solved: Users missing from Access Control

chillsgrove · ‎11-19-2019

We have almost 500 Splunk users in our organization (a mix of local and LDAP). About 200+ of our Splunk users are no longer appearing in the "User" tab under Access Control. A mix of both local users and LDAP users are not visible however they are still able to login to Splunk and use it without issues. Unfortunately I'm not able to administer their account through the GUI though.

We are using a search-head cluster on Splunk v7.3.2. I've already logged into each individual search-head and verified they are missing from all of them.

Any advice to point me in the right direction on how to solve this is greatly appreciated.

chillsgrove · ‎02-21-2020

Yes. Here is the solution that worked for us:

Option 1:

In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:

edit_roles_grantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.

NEXT STEPS

In your SH diag, I see that in authorize.conf, under the [role_admin] stanza

edit_roles_grantable = enabled

grantableRoles = admin

Please edit etc/system/local/authorize.conf and from the [role_admin] stanza, remove the line

grantableRoles = admin

Restart Splunk on the SH
Login to the SH as an admin user and check if missing users are visible.

View solution in original post

adobrzeniecki · ‎02-09-2021

Hello, I am experiencing this issue as well with SAML and using Splunk 8.1.2. We have over 50+ users in SAML. THey are being mapped in authentication.conf to roles that do exist. When i run the rest call above it only shows me 20 users. These 20 users are also only showing up in the GUI. BUT when i run that rest command and add the username of someone who is missing, it returns results for that user.
I need some assistance here and i have a feeling that this may be a bug ticket. Does anyone have any information at all?

chillsgrove · ‎02-21-2020

Yes. Here is the solution that worked for us:

Option 1:

In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:

edit_roles_grantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.

NEXT STEPS

In your SH diag, I see that in authorize.conf, under the [role_admin] stanza

edit_roles_grantable = enabled

grantableRoles = admin

Please edit etc/system/local/authorize.conf and from the [role_admin] stanza, remove the line

grantableRoles = admin

Restart Splunk on the SH
Login to the SH as an admin user and check if missing users are visible.

ivanreis · ‎11-19-2019

Check the rest api command below:

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name

Or run the command through CLI, but I believe the rest api can give you a better output format

./splunk list user
username: admin
full-name: Administrator
role: admin

chillsgrove · ‎11-20-2019

Using the rest api command I get a return result of 292 users. However, in the $SPLUNKHOME/etc/users directory there are 451 users listed. I'm missing about 159 users in the GUI.

cosminstefanmar · ‎02-21-2020

We are getting same error, did you find an explanation of why a big chunk of users might be missing when pulling via REST API?

Users missing from Access Control

Important Update to Data Management Pipeline Builders: RE2 to PCRE2 Migration

Buttercup Games: Further Dashboarding Techniques (Part 4)

What You Read The Most: Splunk Lantern’s Most Popular Articles!