Hi @yangban,
I can see that your issue is somewhat similar to the following Splunk Answer.
https://answers.splunk.com/answers/718467/cannot-view-users-with-can-delete-role.html
We have realized that the roles implementation/feature mechanism needs to be improved/fixed to prevent this issue and have raised SPL-164129 and SPL-155548 bugs.
In the bugs, we have identified that when a setting is modified/updated in the admin role it will add "grantableRoles = admin" in authorize.conf. This can cause the UI to not display some users vs others. This is because of a conflicting capability/capabilities between roles.
In your scenario, perhaps one of your users might have a capability enabled which the "admin" role did not. Hence, due to the conflicting capability, users with admin or other roles which do not have this capability, they will not be bale to see the user in the UI. More information about how grantableRoles work is explained below for your reference.
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Authorizeconf#.5Brole_.3CroleName.3E.5D
NOTE: A role that has been assigned 'grantableRoles' can list only the users whose capabilities are a subset of all capabilities of the roles assigned to 'grantableRoles'.
Example: Consider a Splunk instance where role1-4 are assigned the following capabilities: role1: c1, c2, c3 role2: c4, c5, c6 role3: c1, c6 role4: c4, c8 Users user1-4 are assigned the following roles: user1: role1 user2: role2 user3: role3 user4: role4
You can also use the following search on any SH to view the capabilities of each role:
| rest /services/authorization/roles splunk_server=local | search title=admin OR title=<role_name> OR title=<role_name> | table title capabilities imported_srchFilter srchTimeWin imported_roles imported_capabilities srchIndexesAllowed srchIndexesDefault
To restore your admin capability to view those users again with certain roles, you can implement one of the following workarounds.
Remove grantableRoles = admin option from admin role from authorize.conf. Though this will need to be done every time capabilities are modified in the admin role.
Alternatively, you can add the other user role as a 'grantableRoles' to "admin". However, any future roles that has conflicting capabilities, you will have to add it to grantableRoles as well.
Lastly, add any capabilities that the other user roles have to the "admin" role. This is probably the most simplest workaround, where you would want the admin role to have all capabilities ideally.
... View more