Security

Users missing from Access Control

Explorer

We have almost 500 Splunk users in our organization (a mix of local and LDAP). About 200+ of our Splunk users are no longer appearing in the "User" tab under Access Control. A mix of both local users and LDAP users are not visible however they are still able to login to Splunk and use it without issues. Unfortunately I'm not able to administer their account through the GUI though.

We are using a search-head cluster on Splunk v7.3.2. I've already logged into each individual search-head and verified they are missing from all of them.

Any advice to point me in the right direction on how to solve this is greatly appreciated.

1 Solution

Explorer

Yes. Here is the solution that worked for us:

Option 1:

In your authorize.conf file you have a stanza named [rolesystemadmin] remove the next two attributes:

editrolesgrantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.

NEXT STEPS

  1. In your SH diag, I see that in authorize.conf, under the [role_admin] stanza

editrolesgrantable = enabled

grantableRoles = admin

  1. Please edit etc/system/local/authorize.conf and from the [role_admin] stanza, remove the line

grantableRoles = admin

  1. Restart Splunk on the SH

  2. Login to the SH as an admin user and check if missing users are visible.

View solution in original post

Explorer

Yes. Here is the solution that worked for us:

Option 1:

In your authorize.conf file you have a stanza named [rolesystemadmin] remove the next two attributes:

editrolesgrantable = enabled

grantableRoles = system_admin

These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.

It is recommended to make a backup of the file, remove these two lines, and then restart Splunk. This will need to be done on all of your search heads.

NEXT STEPS

  1. In your SH diag, I see that in authorize.conf, under the [role_admin] stanza

editrolesgrantable = enabled

grantableRoles = admin

  1. Please edit etc/system/local/authorize.conf and from the [role_admin] stanza, remove the line

grantableRoles = admin

  1. Restart Splunk on the SH

  2. Login to the SH as an admin user and check if missing users are visible.

View solution in original post

Builder

Check the rest api command below:

|rest /services/authentication/users splunk_server=local
|fields title roles realname|rename title as userName|rename realname as Name

Or run the command through CLI, but I believe the rest api can give you a better output format

./splunk list user
username: admin
full-name: Administrator
role: admin

0 Karma

Explorer

Using the rest api command I get a return result of 292 users. However, in the $SPLUNKHOME/etc/users directory there are 451 users listed. I'm missing about 159 users in the GUI.

0 Karma

We are getting same error, did you find an explanation of why a big chunk of users might be missing when pulling via REST API?

0 Karma