Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Generate a list of users and assigned roles for th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generate a list of users and assigned roles for them
We are having multiple roles created in Splunk restricted by their index and users will be added to this role via AD group and we use LDAP method for authentication.
Below is authentication.conf
[authentication]
authType = LDAP
authSettings = uk_ldap_auth
[uk_ldap_auth]
SSLEnabled = 1
bindDN = CN=Infodir-HBEU-INFSLK,OU=Service Accounts,DC=InfoDir,DC=Prod,DC=FED
groupBaseDN = OU=Splunk Network Log Analysis UK,OU=Applications,OU=Groups,DC=Infodir,DC=Prod,DC=FED
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = aa-lds-prod.uk.fed
port = 3269
userBaseDN = ou=HSBCPeople,dc=InfoDir,dc=Prod,dc=FED
userNameAttribute = employeeid
realNameAttribute = displayname
emailAttribute = mail
[roleMap_uk_ldap_auth]
<roles mapped with AD group created>Checked this post - https://community.splunk.com/t5/Security/How-can-I-generate-a-list-of-users-and-assigned-roles/m-p/1... and try to give the same command -
|rest /services/authentication/users splunk_server=local |fields title roles realname |rename title as userName|rename realname as Name
Given this in SH search, but hardly returning only 5 results but we have nearly 100 roles created. Even given splunk_server=*, still the same result.
I am having admin role as well and I hope I have the needed capabilities. Not sure what am I missing here? Any thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait. Are you saying that you're getting only a handful of results meaning that you don't see all users? (because that's usually the case @livehybrid described - problematic setting in role definitions cause users to not show up properly in some places).
Or do you mean that you have 100 roles defined in your system and ony see 5 roles assigned to the users? This case is acctually normal because Splunk doesn't expand inherited roles. You can see all effective capabilities per user, but you can't see any "intermediate" roles - just the ones explicitly assigned to a user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mean we have 100 roles already assigned to the users (AD groups) and we can see only 5 roles when giving that search... We want to see all roles assigned to each user... AD group consists of many members
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah my apologies, I misunderstood previously.
As @PickleRick said, Splunk will only be aware of any changes/additional/removal of groups when a user logs in, so this is something worth considering, although isnt the issue here.
Can I clarify - the 100s of roles that you're referring to here, are these *all* Splunk roles that also exist in Splunk where the AD role is mapped to a specific (unique) Splunk role?
The REST endpoints will only return the Splunk role for a user not all their AD roles - I just want to make sure we're on the same page before I dig deeper! Thanks
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. As I said - you will only see the groups directly assigned by group mappings - no inherited roles. That's one thing.
Another thing - as far as I remember, the user is assigned roles from LDAP mapping at the time they are logging in. After that the provisioned user stays the way it is until the user logs in again, LDAP gets contacted and then user's roles are synchronized to LDAP groups.
So if - for example - your users last logged in a month ago but you added them to various LDAP groups last week, you won't see that in Splunk until they log in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They are logging in daily but still can't able to see their name and title
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But in local/authorize.conf this stanza is not there
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your authorize.conf file you have a stanza named [role_system_admin] remove the next two attributes:
edit_roles_grantable = enabled
grantableRoles = system_admin
These lines were required in the older versions of Splunk. Now however they are causing the issues you are seeing.
Check out https://community.splunk.com/t5/Security/Users-missing-from-Access-Control/m-p/487058#M11170 for more info on this fix.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
