Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise upgrade to 9.1.0.1, all users disappeared

tlmayes
Contributor
‎07-12-2023 06:02 AM

Upgraded several independent instances of Splunk Enterprise from various starting points, all to 9.1.0.1.   Some clustered, some standalone.

  • 8.1 -> 9.1.0.1
  • 9.0.1 -> 9.1.0.1

All had the same outcome:  When browsing to: Settings > Users and Authentication > Users, most but not all users are no longer visible in the 'Users' list, but the users still have access as validate by Splunk logs.  In the most severe case there were 100+ users, mostly SAML, some local.  Post upgrade there are 4 showing, yet in validation all can still login

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2023 06:28 AM

I used to have a similar problem (but at some earlier version) due to wrong entries in authorize.conf

If I remember correctly, it had something to do with a role having set edit_roles_grantable privilege but not having defined grantableRoles parameter. User with such role would not show in the users list but would still be able to authenticate to web interface and use the system normally.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2023 06:28 AM

I used to have a similar problem (but at some earlier version) due to wrong entries in authorize.conf

If I remember correctly, it had something to do with a role having set edit_roles_grantable privilege but not having defined grantableRoles parameter. User with such role would not show in the users list but would still be able to authenticate to web interface and use the system normally.

0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎07-17-2023 05:21 AM

PickleRick, seems you were right, and thanks for the response. 
There was a bug reported in 2019, that in my opinion is back with v9.1.0.1. Reference: https://community.splunk.com/t5/Security/Admin-can-t-see-users-with-a-certain-role-and-we-can-t-take... 

Adding all roles to 'grandableRoles' solved the problem.  Consider this a bug since the problem appeared immediately on several deployments, all unrelated to each other, that all worked fine immediately preceding upgrade.  

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 02:46 AM

@tlmayes - I don't see any known issues, hence I would say create a Splunk support case.

 

I hope this helps!! Consider upvoting!!!

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...