- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Admin Role user cannot see specific Analyst user to assign notable to
I have a problem where an admin role user cannot see another analyst user to assign specific notable events to. However, I do not have any problems when I as another admin user try to assign the analyst user that the other admin role cannot see.
I have checked notable_owners_lookup and it was filled correctly with the expected users.
What could be the issue here and where should we check?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've seen this issue on Linux hosts with Splunk 7.3.x, where Splunk admin roles were assigned via RBAC using AD groups. There was an issue where the AD group membership was not being correctly identified on Linux, which resulted in the user still showing as admin in Splunk, but not having Splunk admin privileges.
The issue was fixed during a Splunk upgrade, but you could also try the following if your situation is similar:
- Running systemctl restart sssd
- Open settings -> authentication methods -> reload
- Use the CLI or make an API call to reload the authentication:
./splunk reload auth
curl -k -u admin:changeme https://splunkserver:8089/services/authentication/providers/services/_reload
Also note that SAML can take up to 10 minutes to fully populate the list of analysts that can be assigned to a notable event. It may be worth waiting patiently for this list to fully update.
Alternatively, assign the admin role locally on the ES SH to rule out other authentication technologies interfering with the required permissions.
Reference: https://docs.splunk.com/Documentation/ES/6.6.2/User/Triagenotableevents#Assign_notables_to_owners
